CVE-2026-21627 CRITICAL

CVE-2026-21627: Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla

Vendor Tassos.gr
Product Novarain/Tassos Framework (plg_system_nrframework)
Weakness CWE-284
Published February 20, 2026
Last update February 23, 2026

CVSS base score

9.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.

Explanation of Vulnerability in Simple Terms

02Summary

The Novarain/Tassos Framework contains an access control flaw that allows attackers to bypass authentication or authorization checks. An attacker with network access can exploit this vulnerability without requiring user interaction or special privileges. The flaw affects versions 4.10.14 through 6.0.37 and may result in unauthorized access to sensitive data or functionality.

What an attacker can do

03Attacker Capabilities

Bypass authentication or authorization to access restricted data or functionality without valid credentials.

Potential impact on your site

04Site Impact

Unauthorized users may access sensitive information, modify content, or perform administrative actions without permission.

Conditions required to exploit

05Prerequisites

Network access to the affected Joomla site; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 20, 2026 CVE published
February 23, 2026 Record updated