CVE-2026-48906 CRITICAL

CVE-2026-48906: Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla

Vendor Tassos.gr

Product Novarain/Tassos Framework (plg_system_nrframework)

Weakness CWE-284

Published May 27, 2026

Last update June 5, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/AU:Y

What the vulnerability does

Description

The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.

Key dates

Disclosure timeline

May 27, 2026 CVE published

June 5, 2026 Record updated

Identifiers

CVE CVE-2026-48906

CWE CWE-284

CVSS 9.3 / CRITICAL

Affected versions

Vendor Tassos.gr

Product Novarain/Tassos Framework (plg_system_nrframework)

Affected 1.0.0-6.0.1

Vendor Tassos.gr

Product Convert Forms

Affected 1.0.0-4.4.12

Vendor Tassos.gr

Product Convert Forms

Affected 5.0.0-5.1.5

Vendor Tassos.gr

Product EngageBox

Affected 1.0.0-6.3.11

Vendor Tassos.gr

Product EngageBox

Affected 7.0.0-7.1.1

Vendor Tassos.gr

Product Google Structured Data

Affected 1.0.0-5.6.11

Vendor Tassos.gr

Product Google Structured Data

Affected 6.0.0-6.1.9

Vendor Tassos.gr

Product Advanced Custom Fields

Affected 1.0.0-2.8.12

Vendor Tassos.gr

Product Advanced Custom Fields

Affected 3.0.0-3.1.3

Vendor Tassos.gr

Product Smile Pack

Affected 1.0.0-1.2.6

Vendor Tassos.gr

Product Smile Pack

Affected 2.0.0-2.1.0

Vendor Tassos.gr

Product Tassos Code Snippets

Affected 1.0.0

Vendor Tassos.gr

Product MailChimp Auto-Subscribe

Affected 1.0.0-5.0.5

Vendor Tassos.gr

Product MailChimp Auto-Subscribe

Affected 5.1.0-5.2.0