Tassos Framework (formerly Novarain) – critical flaw, CVSS 9.5
Secure version: Tassos Framework 6.0.62 or higher · via Tassos account
At a glance
plg_system_nrframeworkcom_ajax allow file and database access; a public exploit tool is availableWhat is this about?
The Tassos Framework – formerly known as the Novarain Framework – runs as a system plugin (plg_system_nrframework) and forms the shared basis of several popular extensions. Via com_ajax, AJAX requests were possible without authentication, allowing file access, file deletion and database access, among other things.
The flaw (CVE-2026-21627) is rated critical with a CVSS score of 9.5 out of 10; a public exploit tool is available. Vulnerable are framework versions 4.10.14 to 6.0.37.
Affected in particular are the following extensions: Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, Smile Pack and MailChimp Auto-Subscribe. Since they all use the same framework base, it is enough to update one of them – the framework is updated along with it.
Secure minimum versions per extension
| Extension | Joomla 4 / 5 / 6 | Joomla 3 |
|---|---|---|
| Convert Forms | 5.1.1 | 4.4.11 |
| EngageBox | 7.1.1 | 6.3.9 |
| Google Structured Data | 6.1.1 | 5.6.9 |
| Advanced Custom Fields | 3.1.1 | 2.8.10 |
| Smile Pack | 2.1.1 | 1.2.4 |
| MailChimp Auto-Subscribe | 5.1.1 | 5.0.4 |
After updating one of these extensions, the Tassos Framework must show 6.0.62 or higher.
Am I affected? – How to check
- Open the back end
Log in to the Joomla administrator.
- Check the framework
Open System›Plugins and search for
Tassos Framework. Alternatively, check the files/plugins/system/nrframework/nrframework.phpandnrframework.xml. - Assess the version
If the framework version is between 4.10.14 and 6.0.37, the site is vulnerable. Secure is 6.0.62 or higher.
How to fix it
- Open the Update center
Go to System›Update›Extensions and click Check for updates.
- Update one Tassos extension
Update any installed Tassos extension (see table) to the stated minimum version. The framework is updated along with it.
- Verify the framework
Check under System›Plugins that "Tassos Framework" now shows 6.0.62 or higher.
Official source: via Tassos account. Make sure you have at least Tassos Framework 6.0.62 or higher.
Has the site already been attacked?
Sources & further reading
- Detailed analysis – Website-Bereinigung.deAffected extensions, versions, clean-up
- CVE-2026-21627 (CVE.org)Official CVE record
- Tassos (vendor)Get the updates
The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.
Supporters of this site
htprotect.org is a free, vendor-independent information service. It is supported by:
Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.
fc-hosting.de
Specialised in cleaning, maintaining and securing Joomla and WordPress websites.
website-bereinigung.deSupport this project
You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.