CVE-2026-21627 CRITICAL

CVE-2026-21627: Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla

Vendor Tassos.gr

Product Novarain/Tassos Framework (plg_system_nrframework)

Weakness CWE-284

Published February 20, 2026

Last update February 23, 2026

View on NVD All CVEs

CVSS base score

9.5/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

Description

The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.

Key dates

Disclosure timeline

February 20, 2026 CVE published

February 23, 2026 Record updated

Identifiers

CVE CVE-2026-21627

CWE CWE-284

CVSS 9.5 / CRITICAL

Affected versions

Vendor Tassos.gr

Product Novarain/Tassos Framework (plg_system_nrframework)

Affected 4.10.14–6.0.37

Vendor Tassos.gr

Product Convert Forms

Affected 3.2.12–5.1.0

Vendor Tassos.gr

Product EngageBox

Affected 6.0.0–7.1.0

Vendor Tassos.gr

Product Google Structured Data

Affected 5.1.7–6.1.0

Vendor Tassos.gr

Product Advanced Custom Fields

Affected 2.2.0–3.1.0

Vendor Tassos.gr

Product Smile Pack

Affected 1.0.0–2.1.0