CVE-2026-21628 CRITICAL

CVE-2026-21628: Extension - astroidframe.work - Unauthenticated Remote Code Execution in Astroid Framework 2.0.0 - 3.3.10 for Joomla

Vendor Astroidframe.work
Product Astroid Template Framework
Weakness CWE-434 · Unrestricted file upload
Published March 5, 2026
Last update March 5, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y

What the vulnerability does

01Description

A improperly secured file management feature allows uploads of dangerous data types for unauthenticated users, leading to remote code execution.

Explanation of Vulnerability in Simple Terms

02Summary

The Astroid Template Framework contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files over the network. An attacker can upload malicious files without authentication or user interaction, potentially leading to remote code execution or site compromise. This affects versions 2.0.0 through 3.3.10.

What an attacker can do

03Attacker Capabilities

Upload arbitrary files to the server without authentication, potentially executing malicious code.

Potential impact on your site

04Site Impact

An attacker can upload and execute malicious files, gaining full control of your site.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 5, 2026 CVE published
March 5, 2026 Record updated

Related vulnerabilities

08Related CVE