CVE-2026-21627

CRITICAL

Tassos Framework Plugin - Auth Bypass

Title source: llm

Description

The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-21627

View Code ZIP pw:eip

nomisec WORKING POC

by yallasec · poc

https://github.com/yallasec/CVE-2026-21627---Tassos-Novarain-Framework-plg_system_nrframework-Exploit---Joomla

View Code ZIP pw:eip

References (1)

[Various Sources] https://tassos.gr

Scores

CVSS v4 9.5

EPSS 0.0002

EPSS Percentile 4.7%

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Details

CWE

CWE-284

Status published

Products (6)

tassos.gr/Advanced Custom Fields 2.2.0–3.1.0

tassos.gr/Convert Forms 3.2.12–5.1.0

tassos.gr/EngageBox 6.0.0–7.1.0

tassos.gr/Google Structured Data 5.1.7–6.1.0

tassos.gr/Novarain/Tassos Framework (plg_system_nrframework) 4.10.14–6.0.37

tassos.gr/Smile Pack 1.0.0–2.1.0

Published Feb 20, 2026

Tracked Since Feb 20, 2026