Description
The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
Published: 2026-05-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Tassos Framework Plugin permits an attacker to delete any file located on the site, resulting in loss of content, configuration files, or the ability to deploy malicious artifacts. This flaw falls under CWE‑284, an improper access control weakness, and is rated with a CVSS score of 9.3, indicating a critical threat to confidentiality, integrity, and availability.

Affected Systems

Affects all extensions released by tassos.gr, including Advanced Custom Fields, Convert Forms, EngageBox, Google Structured Data, MailChimp Auto‑Subscribe, the Novarain/Tassos Framework core module (plg_system_nrframework), Smile Pack, and Tassos Code Snippets. The vulnerability exists in any installation running a version earlier than 6.1.0, as indicated by the adviser's title.

Risk and Exploitability

The EPSS score is < 1%, indicating a very low probability of exploitation in the wild. The high CVSS rating and lack of KEV listing suggest that while the flaw is serious, it has not yet been widely abused. The likely attack vector involves an attacker with some level of access to the Joomla administrative interface or the ability to invoke the plugin's functionality. Once activated, the plugin can remove arbitrary files, potentially crippling the site or facilitating further compromise. Because no public exploit is documented, defensive actions should focus on remediation rather than detection.

Generated by OpenCVE AI on June 1, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tassos Framework and all affected extensions to version 6.1.0 or later to fix the deletion flaw
  • If an upgrade cannot be performed immediately, disable or remove the Tassos Framework plugin and any other affected Tassos extensions from the site
  • Restrict the web server’s write permissions to directories that truly require them and monitor filesystem changes for unauthorized deletions

Generated by OpenCVE AI on June 1, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://tassos.gr cve-icon cve-icon
History

Mon, 01 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Tassos
Tassos advanced Custom Fields
Tassos convert Forms
Tassos engagebox
Tassos google Structured Data
Tassos mailchimp Auto-subscribe
Tassos smile Pack
Tassos tassos Code Snippets
Tassos tassos Framework
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:tassos:advanced_custom_fields:*:*:*:*:*:joomla\!:*:*
cpe:2.3:a:tassos:convert_forms:*:*:*:*:*:joomla\!:*:*
cpe:2.3:a:tassos:engagebox:*:*:*:*:*:joomla\!:*:*
cpe:2.3:a:tassos:google_structured_data:*:*:*:*:*:joomla\!:*:*
cpe:2.3:a:tassos:mailchimp_auto-subscribe:*:*:*:*:*:joomla\!:*:*
cpe:2.3:a:tassos:smile_pack:*:*:*:*:*:joomla\!:*:*
cpe:2.3:a:tassos:tassos_code_snippets:1.0.0:*:*:*:*:joomla\!:*:*
cpe:2.3:a:tassos:tassos_framework:*:*:*:*:*:joomla\!:*:*
Vendors & Products Tassos
Tassos advanced Custom Fields
Tassos convert Forms
Tassos engagebox
Tassos google Structured Data
Tassos mailchimp Auto-subscribe
Tassos smile Pack
Tassos tassos Code Snippets
Tassos tassos Framework
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Tassos.gr
Tassos.gr advanced Custom Fields
Tassos.gr convert Forms
Tassos.gr engagebox
Tassos.gr google Structured Data
Tassos.gr mailchimp Auto-subscribe
Tassos.gr novarain
Tassos.gr smile Pack
Tassos.gr tassos Code Snippets
Vendors & Products Tassos.gr
Tassos.gr advanced Custom Fields
Tassos.gr convert Forms
Tassos.gr engagebox
Tassos.gr google Structured Data
Tassos.gr mailchimp Auto-subscribe
Tassos.gr novarain
Tassos.gr smile Pack
Tassos.gr tassos Code Snippets

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
Title Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/AU:Y'}

Subscriptions

Tassos Advanced Custom Fields Convert Forms Engagebox Google Structured Data Mailchimp Auto-subscribe Smile Pack Tassos Code Snippets Tassos Framework
Tassos.gr Advanced Custom Fields Convert Forms Engagebox Google Structured Data Mailchimp Auto-subscribe Novarain Smile Pack Tassos Code Snippets
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-05T07:27:40.844Z

Reserved: 2026-05-26T10:06:17.656Z

Link: CVE-2026-48906

cve-icon Vulnrichment

Updated: 2026-05-27T12:11:07.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T11:16:24.713

Modified: 2026-06-01T14:33:36.133

Link: CVE-2026-48906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T16:45:16Z

Weaknesses