Merge pull request #7235 from github/bencroker-GHSA-m59h-42jf-cphr

advisory-database[bot] · web-flow · commit b20f5dfad225 · 2026-03-25T19:59:23.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-m59h-42jf-cphr/GHSA-m59h-42jf-cphr.json b/advisories/github-reviewed/2026/03/GHSA-m59h-42jf-cphr/GHSA-m59h-42jf-cphr.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m59h-42jf-cphr",
-  "modified": "2026-03-23T20:25:37Z",
+  "modified": "2026-03-23T20:25:40Z",
   "published": "2026-03-23T20:25:37Z",
   "aliases": [
     "CVE-2026-27131"
   ],
   "summary": "Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground",
-  "details": "Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function.\n\nThis issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default. It is possible to override this behaviour using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`.",
+  "details": "Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function.\n\nThis issue was mitigated in versions 3.7.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default. It is possible to override this behaviour using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -28,7 +28,7 @@
               "introduced": "3.0.0"
             },
             {
-              "fixed": "3.15.2"
+              "fixed": "3.7.2"
             }
           ]
         }

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,13 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-m59h-42jf-cphr",`
`4`		`- "modified": "2026-03-23T20:25:37Z",`
	`4`	`+ "modified": "2026-03-23T20:25:40Z",`
`5`	`5`	`"published": "2026-03-23T20:25:37Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2026-27131"`
`8`	`8`	`],`
`9`	`9`	`"summary": "Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground",`
`10`		- "details": "Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function.\n\nThis issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default. It is possible to override this behaviour using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`.",
	`10`	+ "details": "Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function.\n\nThis issue was mitigated in versions 3.7.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default. It is possible to override this behaviour using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`.",
`11`	`11`	`"severity": [`
`12`	`12`	`{`
`13`	`13`	`"type": "CVSS_V3",`
`@@ -28,7 +28,7 @@`
`28`	`28`	`"introduced": "3.0.0"`
`29`	`29`	`},`
`30`	`30`	`{`
`31`		`- "fixed": "3.15.2"`
	`31`	`+ "fixed": "3.7.2"`
`32`	`32`	`}`
`33`	`33`	`]`
`34`	`34`	`}`