CVE-2026-21627

CRITICAL

Tassos Framework Plugin - Auth Bypass

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-21627. PoCs published by XiaomingX, yallasec.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-21627, targeting an unauthenticated arbitrary PHP file inclusion vulnerability in the Tassos/Novarain Framework for Joomla CMS. The exploit leverages the 'ajaxTaskInclude()' function to include arbitrary PHP files, enabling file upload, deletion, and potential RCE via SSI injection or PHP polyglot uploads.

Description

The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-21627

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-21627, targeting an unauthenticated arbitrary PHP file inclusion vulnerability in the Tassos/Novarain Framework for Joomla CMS. The exploit leverages the 'ajaxTaskInclude()' function to include arbitrary PHP files, enabling file upload, deletion, and potential RCE via SSI injection or PHP polyglot uploads.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Tassos/Novarain Framework (plg_system_nrframework) for Joomla CMS versions 4.10.14 - 6.0.37

No auth needed

Prerequisites: Joomla CMS with vulnerable Tassos/Novarain Framework plugin installed · Network access to the target Joomla site

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by yallasec · poc

https://github.com/yallasec/CVE-2026-21627---Tassos-Novarain-Framework-plg_system_nrframework-Exploit---Joomla

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-21627, targeting an unauthenticated arbitrary PHP file inclusion vulnerability in the Tassos/Novarain Framework (plg_system_nrframework) for Joomla CMS versions 4.10.14 to 6.0.37. The exploit leverages the 'include' task in onAjaxNrframework() with a raw input filter bypass to achieve file inclusion, deletion, and potential RCE via gadget classes like nrinlinefileupload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Joomla CMS with Tassos/Novarain Framework (plg_system_nrframework) versions 4.10.14 - 6.0.37

No auth needed

Prerequisites: Joomla CMS with vulnerable Tassos/Novarain Framework plugin · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources product

https://tassos.gr

Scores

CVSS v4 9.5

EPSS 0.0040

EPSS Percentile 31.3%

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-284

Status published

Products (6)

tassos.gr/Advanced Custom Fields 2.2.0–3.1.0

tassos.gr/Convert Forms 3.2.12–5.1.0

tassos.gr/EngageBox 6.0.0–7.1.0

tassos.gr/Google Structured Data 5.1.7–6.1.0

tassos.gr/Novarain/Tassos Framework (plg_system_nrframework) 4.10.14–6.0.37

tassos.gr/Smile Pack 1.0.0–2.1.0

Published Feb 20, 2026

Tracked Since Feb 20, 2026