CVE-2026-48906 PUBLISHED

Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla

Assigner: Joomla
Reserved: 26.05.2026 Published: 27.05.2026 Updated: 27.05.2026

The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/AU:Y
CVSS Score: 9.3

Product Status

Vendor tassos.gr
Product Novarain/Tassos Framework (plg_system_nrframework)
Versions Default: unaffected
  • Version 1.0.0-6.0.1 is affected
Vendor tassos.gr
Product Convert Forms
Versions Default: unaffected
  • Version 1.0.0-4.4.12 is affected
  • Version 5.0.0-5.1.5 is affected
Vendor tassos.gr
Product EngageBox
Versions Default: unaffected
  • Version 1.0.0-6.3.11 is affected
  • Version 7.0.0-7.1.1 is affected
Vendor tassos.gr
Product Google Structured Data
Versions Default: unaffected
  • Version 1.0.0-5.6.11 is affected
  • Version 6.0.0-6.1.9 is affected
Vendor tassos.gr
Product Advanced Custom Fields
Versions Default: unaffected
  • Version 1.0.0-2.8.12 is affected
  • Version 3.0.0-3.1.3 is affected
Vendor tassos.gr
Product Smile Pack
Versions Default: unaffected
  • Version 1.0.0-1.2.6 is affected
  • Version 2.0.0-2.1.0 is affected
Vendor tassos.gr
Product Tassos Code Snippets
Versions Default: unaffected
  • Version 1.0.0 is affected
Vendor tassos.gr
Product MailChimp Auto-Subscribe
Versions Default: unaffected
  • Version 1.0.0-5.0.5 is affected
  • Version 5.1.0-5.2.0 is affected

Credits

  • Leandro Vallim finder

References

Problem Types

  • CWE-284 Improper Access Control CWE

Impacts

  • CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs