← voltar
CVE-2026-27131

Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground

CVSS 5.5 MEDIUMEPSS 0.3%CWE-200CWE-489
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.5EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
23 mar 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function. This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default. It is possible to override this behavior using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Produtos afetados
putyourlightson · craft-sprig

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03bhttps://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475https://github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42jf-cphr