Medium severity5.5NVD Advisory· Published Mar 23, 2026· Updated Apr 15, 2026
CVE-2026-27131
CVE-2026-27131
Description
The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData() signing function. This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when devMode is disabled, by default. It is possible to override this behavior using a new enablePlaygroundWhenDevModeDisabled that defaults to false.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
putyourlightson/craft-sprigPackagist | >= 2.0.0, < 2.15.2 | 2.15.2 |
putyourlightson/craft-sprigPackagist | >= 3.0.0, < 3.7.2 | 3.7.2 |
Affected products
1Patches
209c9da2ffb45Add playground config setting
6 files changed · +23 −3
CHANGELOG.md+4 −0 modified@@ -1,5 +1,9 @@ # Release Notes for Sprig +## 2.15.2 - Unreleased + +- The Sprig Playground is now only available in environments in which `devMode` is enabled, unless the `enablePlaygroundWhenDevModeDisabled` config setting is explicitly set to `true`. + ## 2.15.1 - 2025-09-14 - Updated htmx to version 2.0.7 ([changelog](https://github.com/bigskysoftware/htmx/blob/master/CHANGELOG.md#207---2025-09-08)).
composer.json+1 −1 modified@@ -1,7 +1,7 @@ { "name": "putyourlightson/craft-sprig", "description": "A reactive Twig component framework for Craft.", - "version": "2.15.1", + "version": "2.15.2", "type": "craft-plugin", "license": "mit", "require": {
src/config.php+3 −0 modified@@ -21,5 +21,8 @@ '*' => [ // Whether the playground should be enabled. //'enablePlayground' => true, + + // Whether the playground should be disabled when `devMode` is disabled + //'enablePlaygroundWhenDevModeDisabled' => false, ], ];
src/controllers/PlaygroundController.php+1 −1 modified@@ -18,7 +18,7 @@ public function beforeAction($action): bool return false; } - if (!Sprig::$plugin->settings->enablePlayground) { + if (!Sprig::$plugin->settings->getCanAccessPlayground()) { return false; }
src/models/SettingsModel.php+13 −0 modified@@ -13,4 +13,17 @@ class SettingsModel extends Model * @var bool Whether the playground should be enabled. */ public bool $enablePlayground = true; + + /** + * @var bool Whether the playground should be enabled when `devMode` is disabled + */ + public bool $enablePlaygroundWhenDevModeDisabled = false; + + /** + * Returns whether the playground can be accessed. + */ + public function getCanAccessPlayground(): bool + { + return $this->enablePlayground && ($this->enablePlaygroundWhenDevModeDisabled || Craft::$app->getConfig()->getGeneral()->devMode); + } }
src/Sprig.php+1 −1 modified@@ -60,7 +60,7 @@ public function init(): void parent::init(); self::$plugin = $this; - $this->hasCpSection = $this->settings->enablePlayground; + $this->hasCpSection = $this->settings->getCanAccessPlayground(); $this->_registerCpRoutes(); $this->_registerAutocompletes();
db18c46f6dc5Add playground config setting
6 files changed · +24 −3
CHANGELOG.md+4 −0 modified@@ -1,5 +1,9 @@ # Release Notes for Sprig +## 3.7.2 - Unreleased + +- The Sprig Playground is now only available in environments in which `devMode` is enabled, unless the `enablePlaygroundWhenDevModeDisabled` config setting is explicitly set to `true`. + ## 3.7.1 - 2025-09-14 - Updated htmx to version 2.0.7 ([changelog](https://github.com/bigskysoftware/htmx/blob/master/CHANGELOG.md#207---2025-09-08)).
composer.json+1 −1 modified@@ -1,7 +1,7 @@ { "name": "putyourlightson/craft-sprig", "description": "A reactive Twig component framework for Craft.", - "version": "3.7.1", + "version": "3.7.2", "type": "craft-plugin", "license": "mit", "require": {
src/config.php+3 −0 modified@@ -21,5 +21,8 @@ '*' => [ // Whether the playground should be enabled. //'enablePlayground' => true, + + // Whether the playground should be disabled when `devMode` is disabled + //'enablePlaygroundWhenDevModeDisabled' => false, ], ];
src/controllers/PlaygroundController.php+1 −1 modified@@ -18,7 +18,7 @@ public function beforeAction($action): bool return false; } - if (!Sprig::$plugin->settings->enablePlayground) { + if (!Sprig::$plugin->settings->getCanAccessPlayground()) { return false; }
src/models/SettingsModel.php+14 −0 modified@@ -5,6 +5,7 @@ namespace putyourlightson\sprig\plugin\models; +use Craft; use craft\base\Model; class SettingsModel extends Model @@ -13,4 +14,17 @@ class SettingsModel extends Model * @var bool Whether the playground should be enabled. */ public bool $enablePlayground = true; + + /** + * @var bool Whether the playground should be enabled when `devMode` is disabled + */ + public bool $enablePlaygroundWhenDevModeDisabled = false; + + /** + * Returns whether the playground can be accessed. + */ + public function getCanAccessPlayground(): bool + { + return $this->enablePlayground && ($this->enablePlaygroundWhenDevModeDisabled || Craft::$app->getConfig()->getGeneral()->devMode); + } }
src/Sprig.php+1 −1 modified@@ -60,7 +60,7 @@ public function init(): void parent::init(); self::$plugin = $this; - $this->hasCpSection = $this->settings->enablePlayground; + $this->hasCpSection = $this->settings->getCanAccessPlayground(); $this->registerCpRoutes(); $this->registerAutocompletes();
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m59h-42jf-cphrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27131ghsaADVISORY
- github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03bnvdWEB
- github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475nvdWEB
- github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42jf-cphrnvdWEB
News mentions
0No linked articles in our index yet.