What the vulnerability does
01Description
The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.
Explanation of Vulnerability in Simple Terms
02Summary
The Novarain/Tassos Framework contains an access control flaw that allows attackers to bypass authentication or authorization checks. An attacker with network access can exploit this vulnerability without requiring user interaction or special privileges. The flaw affects versions 4.10.14 through 6.0.37 and may result in unauthorized access to sensitive data or functionality.
What an attacker can do
03Attacker Capabilities
Bypass authentication or authorization to access restricted data or functionality without valid credentials.
Potential impact on your site
04Site Impact
Unauthorized users may access sensitive information, modify content, or perform administrative actions without permission.
Conditions required to exploit
05Prerequisites
Network access to the affected Joomla site; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 20, 2026
CVE published
February 23, 2026
Record updated