CVE-2026-21627

Awaiting Analysis
Published: 20 Feb 2026, 14:22
Last modified:20 Feb 2026, 14:22

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.5 CRITICAL
v4.0 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

20 Feb 2026, 14:22
Published
Vulnerability first disclosed
Description

The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.

CVSS Metrics
  • v4.0CRITICALScore: 9.5CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
  • v4.0CRITICALScore: 9.5CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Techniques & Countermeasures
  • CWE-284Improper Access Control

    The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Affected Systems
  • tassos.gradvanced custom fields

    2.2.0–3.1.0

  • tassos.grconvert forms

    3.2.12–5.1.0

  • tassos.grengagebox

    6.0.0–7.1.0

  • tassos.grgoogle structured data

    5.1.7–6.1.0

  • tassos.grnovarain/tassos framework (plg_system_nrframework)

    4.10.14–6.0.37

  • tassos.grsmile pack

    1.0.0–2.1.0

References (1)