HTProtect.org
Independent information site on Joomla security vulnerabilities
DEEN
HTProtect HTProtect JOOMLA SECURITY
htprotect.org Vulnerabilities & update guides
Security vulnerability

Astroid Framework – critical RCE flaw (file upload)

Critical Actively exploitedCVE-2026-21628
Act now
Update Astroid to 3.3.13 or newer – and clean up as well if you suspect a compromise.
Download the secure version Go to the update steps

Secure version: Astroid 3.3.13 or newer · direct download (GitHub, open source)

At a glance

Affected extension
Astroid Framework (template framework)
Vendor
TemPlaza
Type of flaw
Unauthenticated file upload → Remote Code Execution (RCE); abuses a CSRF token from the public login page
Affected versions
Astroid 2.0.0 to 3.3.10
Secure version
Astroid 3.3.13 or newer   Download
Severity
Critical · actively exploited
CVE
CVE-2026-21628
Joomla compatibility
Joomla 4 / 5 / 6
Status / published
As of: 11 March 2026

What is this about?

The Astroid Framework is the basis of numerous Joomla templates. The vulnerability lets attackers upload files to the server without authentication. To do so, a CSRF token is abused that can be read from the publicly accessible login page. In the worst case, this allows code execution (Remote Code Execution).

Vulnerable are versions 2.0.0 to 3.3.10. The flaw is tracked as CVE-2026-21628. It was fixed from version 3.3.11; updating to 3.3.13 or newer is recommended.

Important: a mere version update is not enough if the attack has already happened. In practice, so-called dropper files (e.g. blp_9948.php) were used to load backdoor plugins such as BLPayload or JCachePro – these persist after an update.

Am I affected? – How to check

  1. Open the back end

    Log in to the Joomla administrator.

  2. Check the Astroid version

    You can find the installed version in the template area (SystemTemplates) or under ExtensionsManageManage by filtering for "Astroid".

  3. Assess the version

    If the version is between 2.0.0 and 3.3.10, action is urgently needed.

  4. Watch for backdoors

    Check /plugins/system/ for suspicious entries such as BLPayload or JCachePro, as well as files matching blp_*.php.

How to fix it

Before any update: back up
Back up your files and database before updating – so you can roll back if anything goes wrong (e.g. via Akeeba Backup or your host).
  1. Open the Update center

    Go to SystemUpdateExtensions and click Check for updates.

  2. Update Astroid

    Select the Astroid entry and update to 3.3.13 or newer.

  3. Verify the version

    Then confirm that the new version has been applied.

Manual installation (alternative)
Alternatively, download the package from your Astroid/TemPlaza account and install it via ExtensionsManageInstall.
Download the secure version

Official source: direct download (GitHub, open source). Make sure you have at least Astroid 3.3.13 or newer.

Has the site already been attacked?

If compromised, an update is not enough
Updates do not automatically remove already-installed malware. Watch for plugins such as BLPayload/JCachePro and dropper files (blp_*.php). What's then required: a full clean-up, changing all passwords (Joomla admin, FTP/SSH, database) and a check in Google Search Console.

Sources & further reading

The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.

Back to all vulnerabilities
Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community
FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de
Initiator & operator
Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Support HTProtect now