Fluid Attacks Database

Description

Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData() signing function.

This issue was mitigated in versions 3.7.2 and 2.15.2 by disabling access to the Sprig Playground entirely when devMode is disabled, by default. It is possible to override this behaviour using a new enablePlaygroundWhenDevModeDisabled that defaults to false.

References:

https://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475

https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03b

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	putyourlightson/craft-sprig	>=2.0.0 <2.15.2 \|\| >=3.0.0 <3.7.2	2.15.2, 3.7.2

Aliases

1. CVE-2026-271312. NVD-2026-271313. OSV-2026-271314. GHSA-m59h-42jf-cphr5. GCVE-2026-27131

References

1. https://github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42jf-cphr2. https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03b3. https://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.