What is CVE-2026-21627?

CVE-2026-21627 is a vulnerability in Tassos.gr Advanced Custom Fields, classified under Improper Access Control. Published 2026-02-20.

Is CVE-2026-21627 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Tassos.gr Advanced Custom Fields

CVE-2026-21627

The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.

EPSS: 0.000 (5.0th percentile) — read the EPSS interpretation.

Affected products

Tassos.gr Advanced Custom Fields — versions 2.2.0–3.1.0
Tassos.gr Convert Forms — versions 3.2.12–5.1.0
Tassos.gr Engagebox — versions 6.0.0–7.1.0
Tassos.gr Google Structured Data — versions 5.1.7–6.1.0
Tassos.gr Novarain/tassos Framework (Plg_system_nrframework) — versions 4.10.14–6.0.37
Tassos.gr Smile Pack — versions 1.0.0–2.1.0

Weakness classification (CWE)

CWE-284 — Improper Access Control

Public proof-of-concept exploits

yallasec/CVE-2026-21627---Tassos-Novarain-Framework-plg_system_nrframework-Exploit---Joomla

References

tassos.gr (product)

Frequently asked questions

What is CVE-2026-21627?: CVE-2026-21627 is a vulnerability in Tassos.gr Advanced Custom Fields, classified under Improper Access Control. Published 2026-02-20.
Is CVE-2026-21627 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.