{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21627", "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "state": "PUBLISHED", "assignerShortName": "Joomla", "dateReserved": "2026-01-01T04:42:27.960Z", "datePublished": "2026-02-20T14:22:14.744Z", "dateUpdated": "2026-02-23T05:07:12.296Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Novarain/Tassos Framework (plg_system_nrframework)", "vendor": "tassos.gr", "versions": [{"status": "affected", "version": "4.10.14\u20136.0.37"}]}, {"defaultStatus": "unaffected", "product": "Convert Forms", "vendor": "tassos.gr", "versions": [{"status": "affected", "version": "3.2.12\u20135.1.0"}]}, {"defaultStatus": "unaffected", "product": "EngageBox", "vendor": "tassos.gr", "versions": [{"status": "affected", "version": "6.0.0\u20137.1.0"}]}, {"defaultStatus": "unaffected", "product": "Google Structured Data", "vendor": "tassos.gr", "versions": [{"status": "affected", "version": "5.1.7\u20136.1.0"}]}, {"defaultStatus": "unaffected", "product": "Advanced Custom Fields", "vendor": "tassos.gr", "versions": [{"status": "affected", "version": "2.2.0\u20133.1.0"}]}, {"defaultStatus": "unaffected", "product": "Smile Pack", "vendor": "tassos.gr", "versions": [{"status": "affected", "version": "1.0.0\u20132.1.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "p1r0x / ssd-disclosure.com"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction."}], "value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "baseSeverity": "CRITICAL", "baseScore": 9.5, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "references": [{"tags": ["product"], "url": "https://tassos.gr"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "shortName": "Joomla", "dateUpdated": "2026-02-23T05:07:12.296Z"}, "source": {"discovery": "UNKNOWN"}, "title": "Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 \u2013 v6.0.37 for Joomla", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T20:42:52.948106Z", "id": "CVE-2026-21627", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:43:10.027Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21627", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T20:42:52.948106Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:43:02.670Z"}}], "cna": {"title": "Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 \u2013 v6.0.37 for Joomla", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "p1r0x / ssd-disclosure.com"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "tassos.gr", "product": "Novarain/Tassos Framework (plg_system_nrframework)", "versions": [{"status": "affected", "version": "4.10.14\u20136.0.37"}], "defaultStatus": "unaffected"}, {"vendor": "tassos.gr", "product": "Convert Forms", "versions": [{"status": "affected", "version": "3.2.12\u20135.1.0"}], "defaultStatus": "unaffected"}, {"vendor": "tassos.gr", "product": "EngageBox", "versions": [{"status": "affected", "version": "6.0.0\u20137.1.0"}], "defaultStatus": "unaffected"}, {"vendor": "tassos.gr", "product": "Google Structured Data", "versions": [{"status": "affected", "version": "5.1.7\u20136.1.0"}], "defaultStatus": "unaffected"}, {"vendor": "tassos.gr", "product": "Advanced Custom Fields", "versions": [{"status": "affected", "version": "2.2.0\u20133.1.0"}], "defaultStatus": "unaffected"}, {"vendor": "tassos.gr", "product": "Smile Pack", "versions": [{"status": "affected", "version": "1.0.0\u20132.1.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://tassos.gr", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.", "supportingMedia": [{"type": "text/html", "value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "shortName": "Joomla", "dateUpdated": "2026-02-23T05:07:12.296Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21627", "state": "PUBLISHED", "dateUpdated": "2026-02-23T05:07:12.296Z", "dateReserved": "2026-01-01T04:42:27.960Z", "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "datePublished": "2026-02-20T14:22:14.744Z", "assignerShortName": "Joomla"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla\u2019s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction."}, {"lang": "es", "value": "La vulnerabilidad estaba arraigada en c\u00f3mo el plugin Tassos Framework manejaba solicitudes AJAX espec\u00edficas a trav\u00e9s del punto de entrada com_ajax de Joomla. Bajo ciertas condiciones, la funcionalidad interna del framework podr\u00eda ser invocada sin la restricci\u00f3n adecuada."}], "id": "CVE-2026-21627", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.5, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@joomla.org", "type": "Secondary"}]}, "published": "2026-02-20T15:20:29.467", "references": [{"source": "security@joomla.org", "url": "https://tassos.gr"}], "sourceIdentifier": "security@joomla.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@joomla.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.2.0,3.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Advanced Custom Fields", "source": "cna", "vendor": "tassos.gr"}, "product": "advanced_custom_fields", "vendor": "tassos.gr"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.12,5.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Convert Forms", "source": "cna", "vendor": "tassos.gr"}, "product": "convert_forms", "vendor": "tassos.gr"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,7.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "EngageBox", "source": "cna", "vendor": "tassos.gr"}, "product": "engagebox", "vendor": "tassos.gr"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.1.7,6.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Google Structured Data", "source": "cna", "vendor": "tassos.gr"}, "product": "google_structured_data", "vendor": "tassos.gr"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.10.14,6.0.37]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Novarain/Tassos Framework (plg_system_nrframework)", "source": "cna", "vendor": "tassos.gr"}, "product": "novarain", "vendor": "tassos.gr"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,2.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Smile Pack", "source": "cna", "vendor": "tassos.gr"}, "product": "smile_pack", "vendor": "tassos.gr"}], "analysis": {"en": {"generated_at": "2026-04-17T17:29:05.407296+00:00", "value": {"mitigation_remediation": ["Upgrade all affected Tassos plugins to the latest released versions (\u2265\u202f6.0.37 or newer).", "Restrict access to Joomla\u2019s com_ajax endpoint so that only authenticated users can invoke it, for example by applying ACL changes or using a firewall rule.", "If an update is not immediately available, disable the vulnerable extensions or delete the Tassos Framework installation until a patch is released."], "summary": {"action": "Immediate Patch", "impact": "Remote SQL Injection and Unauthenticated File Read"}, "threat_synthesis": {"affected_systems": "Vulnerable products include Tassos Framework (plg_system_nrframework) and its bundled extensions: Advanced Custom Fields, Convert Forms, EngageBox, Google Structured Data, and Smile Pack. The flaw exists in all releases from version 4.10.14 up to 6.0.37 inclusive.", "description_and_impact": "The Tassos Framework plugin incorrectly processes certain AJAX requests via Joomla\u2019s com_ajax entry point. When an attacker crafts the right input, internal functions can be invoked without proper authentication checks, allowing them to inject SQL commands and read files that should be protected. This flaw gives attackers direct access to database contents and sensitive file data, compromising both confidentiality and integrity.", "risk_and_exploitability": "With a CVSS score of 9.5, the issue is considered critical, but current EPSS indicates low exploitation probability (<1%). The vulnerability is not yet listed in CISA\u2019s KEV catalog. Attackers can send crafted AJAX requests to the com_ajax endpoint from any web client, bypassing authentication (CWE\u2011284). No local privileges are required; remote unauthenticated execution leads to full SQL injection and file read capabilities."}}}}, "created": "2026-02-23T14:47:01.508898+00:00", "updated": "2026-04-17T17:30:23.868340+00:00", "vendors": ["tassos.gr", "tassos.gr$PRODUCT$advanced_custom_fields", "tassos.gr$PRODUCT$convert_forms", "tassos.gr$PRODUCT$engagebox", "tassos.gr$PRODUCT$google_structured_data", "tassos.gr$PRODUCT$novarain", "tassos.gr$PRODUCT$smile_pack"]}