Description
The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.
Published: 2026-02-20
Score: 9.5 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection and Unauthenticated File Read
Action: Immediate Patch
AI Analysis

Impact

The Tassos Framework plugin incorrectly processes certain AJAX requests via Joomla’s com_ajax entry point. When an attacker crafts the right input, internal functions can be invoked without proper authentication checks, allowing them to inject SQL commands and read files that should be protected. This flaw gives attackers direct access to database contents and sensitive file data, compromising both confidentiality and integrity.

Affected Systems

Vulnerable products include Tassos Framework (plg_system_nrframework) and its bundled extensions: Advanced Custom Fields, Convert Forms, EngageBox, Google Structured Data, and Smile Pack. The flaw exists in all releases from version 4.10.14 up to 6.0.37 inclusive.

Risk and Exploitability

With a CVSS score of 9.5, the issue is considered critical, but current EPSS indicates low exploitation probability (<1%). The vulnerability is not yet listed in CISA’s KEV catalog. Attackers can send crafted AJAX requests to the com_ajax endpoint from any web client, bypassing authentication (CWE‑284). No local privileges are required; remote unauthenticated execution leads to full SQL injection and file read capabilities.

Generated by OpenCVE AI on April 17, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all affected Tassos plugins to the latest released versions (≥ 6.0.37 or newer).
  • Restrict access to Joomla’s com_ajax endpoint so that only authenticated users can invoke it, for example by applying ACL changes or using a firewall rule.
  • If an update is not immediately available, disable the vulnerable extensions or delete the Tassos Framework installation until a patch is released.

Generated by OpenCVE AI on April 17, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://tassos.gr cve-icon cve-icon
History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Tassos.gr
Tassos.gr advanced Custom Fields
Tassos.gr convert Forms
Tassos.gr engagebox
Tassos.gr google Structured Data
Tassos.gr novarain
Tassos.gr smile Pack
Vendors & Products Tassos.gr
Tassos.gr advanced Custom Fields
Tassos.gr convert Forms
Tassos.gr engagebox
Tassos.gr google Structured Data
Tassos.gr novarain
Tassos.gr smile Pack

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.
Title Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Tassos.gr Advanced Custom Fields Convert Forms Engagebox Google Structured Data Novarain Smile Pack
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-02-23T05:07:12.296Z

Reserved: 2026-01-01T04:42:27.960Z

Link: CVE-2026-21627

cve-icon Vulnrichment

Updated: 2026-02-20T20:43:02.670Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T15:20:29.467

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-21627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses