CVE-2026-21628 CRITICAL

CVE-2026-21628: Extension - astroidframe.work - Unauthenticated Remote Code Execution in Astroid Framework 2.0.0 - 3.3.10 for Joomla

Vendor Astroidframe.work

Product Astroid Template Framework

Weakness CWE-434 · Unrestricted file upload

Published March 5, 2026

Last update March 5, 2026

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y

What the vulnerability does

Description

A improperly secured file management feature allows uploads of dangerous data types for unauthenticated users, leading to remote code execution.

Key dates

March 5, 2026 CVE published

March 5, 2026 Record updated

CVE CVE-2026-21628

CWE CWE-434

CVSS 10.0 / CRITICAL

Vendor Astroidframe.work

Product Astroid Template Framework

Affected 2.0.0-3.3.10