Skip to main content

Tassos Framework CVE-2026-48906

| EUVDEUVD-2026-32162 CRITICAL
Improper Access Control (CWE-284)
2026-05-27 Joomla GHSA-wfvx-j6wj-x7w9
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:19 vuln.today

DescriptionCVE.org

The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.

AnalysisAI

Arbitrary file deletion in the Novarain/Tassos Framework system plugin (plg_system_nrframework) and the suite of Tassos.gr Joomla extensions that bundle it lets remote unauthenticated attackers delete arbitrary files on affected sites. The CVSS 4.0 vector (PR:N/UI:N) and the 'Authentication Bypass' tag indicate no credentials or interaction are needed, and the high integrity/availability impact reflects that deleting core files such as Joomla's configuration.php can lead to denial of service or site takeover. There is no public exploit identified at time of analysis, and EPSS is low (0.07%, 21st percentile) with no CISA KEV listing, indicating no observed exploitation despite the critical 9.3 base score.

Technical ContextAI

NR Framework (plg_system_nrframework) is a shared Joomla system plugin developed by Tassos.gr that provides common functionality to a family of commercial extensions, so a single flaw in the framework propagates across every product that ships it - Convert Forms, EngageBox, Advanced Custom Fields, Google Structured Data, Smile Pack, Tassos Code Snippets, and MailChimp Auto-Subscribe. The root cause is classed as CWE-284 (Improper Access Control): a file-handling code path that should require authentication or proper authorization is reachable without it, allowing a deletion operation to be invoked against arbitrary paths. The CPE strings (vendor tassos.gr) confirm the affected products are server-side Joomla extensions rather than standalone applications, so exploitation targets the web application layer reachable over HTTP/HTTPS.

RemediationAI

No vendor-released patch version was identified at time of analysis; the provided reference points only to the vendor homepage (https://tassos.gr) rather than a tagged release or advisory, and the EUVD upper bounds (e.g., Convert Forms up to 5.1.5, EngageBox up to 7.1.1, NR Framework up to 6.0.1) imply fixes ship in the next versions above those ranges but this is not independently confirmed - check https://tassos.gr and the Joomla Vulnerable Extensions List for the exact fixed build before upgrading. Until a confirmed patched version is installed, the most direct compensating control is to disable or uninstall the affected Tassos extension and the plg_system_nrframework system plugin from the Joomla Plugin Manager, which removes the vulnerable code path entirely at the cost of losing that extension's functionality. If the extension cannot be disabled, place a WAF or reverse-proxy rule in front of the site to block unauthenticated requests to the NR Framework component/endpoint and restrict administrative paths by IP; the trade-off is that overly broad rules may break legitimate AJAX calls used by these plugins, so test in monitor mode first. Maintain offline backups of configuration.php and the site so a successful deletion can be recovered.

Share

CVE-2026-48906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy