CRITICALCVE-2026-21627Published Modified CNA Joomla
CVE-2026-21627: Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla
The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.
Metrics
- CVSS v4.0
- 9.5
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 6
Affected packages
- tassos.gr / Novarain/Tassos Framework (plg_system_nrframework)4.10.14–6.0.37
- tassos.gr / Convert Forms3.2.12–5.1.0
- tassos.gr / EngageBox6.0.0–7.1.0
- tassos.gr / Google Structured Data5.1.7–6.1.0
- tassos.gr / Advanced Custom Fields2.2.0–3.1.0
- tassos.gr / Smile Pack1.0.0–2.1.0
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HReferences