PT-2026-27177 · WordPress · Sprig Plugin For Craft Cms
Neosprings
·
Published
2026-03-23
·
Updated
2026-03-23
·
CVE-2026-27131
CVSS v3.1
5.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Sprig Plugin for Craft CMS versions prior to 2.15.2
Sprig Plugin for Craft CMS versions prior to 3.15.2
Description
The Sprig Plugin for Craft CMS allows admin users and those with Sprig Playground access to potentially reveal security keys, credentials, and other sensitive configuration data. The
hashData() function can also be executed. This issue was addressed by disabling Sprig Playground access when devMode is disabled, with a configuration option (enablePlaygroundWhenDevModeDisabled) to override this behavior.Recommendations
Update to Sprig Plugin for Craft CMS version 2.15.2 or later.
Update to Sprig Plugin for Craft CMS version 3.15.2 or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Sprig Plugin For Craft Cms