Joomla security vulnerability in the Tassos Framework / Novarain Framework

Tassos Novarain Framework VulnerabilityMany Joomla site operators do not even realize that the Tassos Framework or the former Novarain Framework is installed on their website at all. That is exactly what makes this security vulnerability so serious: The affected plugin is plg_system_nrframework, which often runs in the background only as a technical dependency.

The vulnerability is tracked under CVE-2026-21627 and is rated as critical (9.5 out of 10). What is particularly problematic is that attacks may be possible without a login. In addition, a public exploit tool has already become known. Anyone who runs or manages Joomla websites with Tassos extensions should therefore not put this off until later, but check now.

Contents

  1. What exactly is this about?
  2. Which websites are affected?
  3. Why this vulnerability is so dangerous in practice
  4. Important update block: This is what you need to do now
    1. Be sure to check this afterwards
  5. Important special case: The framework may still be present even after uninstallation
  6. How to recognize a possible compromise
  7. Conclusion
  8. FAQ
    1. What is CVE-2026-21627?
    2. Is Joomla itself affected?
    3. Is it enough to update just one Tassos extension?
    4. Which framework version should be installed after the update?
    5. Is an update always enough?

What exactly is this about?

The vulnerability does not affect the Joomla core itself, but rather the system plugin plg_system_nrframework. Technically, the problem is related to certain AJAX requests via com_ajax . In unfavorable cases, this can allow file access, file deletion, or database access, among other things - without an attacker having to log in normally first.

What makes this especially tricky is that the framework was often installed together with extensions such as Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, Smile Pack or MailChimp Auto-Subscribe . Many site operators therefore never consciously noticed the actual framework name.

Which websites are affected?

Affected are Joomla websites on which the Tassos or Novarain Framework is installed. You can typically find it under this path:

/plugins/system/nrframework/

Important files include, among others:

/plugins/system/nrframework/nrframework.php
/plugins/system/nrframework/nrframework.xml

If these files are present, the framework is installed. According to the published information, versions from 4.10.14 to 6.0.37 are vulnerable.

Why this vulnerability is so dangerous in practice

In reality, vulnerabilities like this are often more dangerous than many standard updates because they are easy to overlook. The framework often runs quietly in the background, even though the actual Joomla site appears inconspicuous at first glance. At the same time, a simple update may close the security vulnerability - but it will not automatically remove any malicious code that has already been injected.

Specifically, this means: If a website has already been compromised, “just updating” is not enough. Files, user accounts, logs, and typical backdoor traces must also be checked.

Important update block: This is what you need to do now

The vendor recommends updating the affected extension immediately to the patched version that matches the Joomla version in use. Important: Since all Tassos extensions share the same framework, in many cases it is sufficient to update one installed Tassos extension. The framework is then updated automatically as well.

ExtensionJoomla 4 / 5 / 6Joomla 3
Convert Forms v5.1.1 or higher 🔗 v4.4.11 or higher 🔗
EngageBox v7.1.1 or higher 🔗 v6.3.9 or higher 🔗
Google Structured Data v6.1.1 or higher 🔗 v5.6.9 or higher 🔗
Advanced Custom Fields v3.1.1 or higher 🔗 v2.8.10 or higher 🔗
Smile Pack v2.1.1 or higher 🔗 v1.2.4 or higher 🔗
MailChimp Auto-Subscribe v5.1.1 or higher 🔗 v5.0.4 or higher 🔗

Source: https://www.tassos.gr/blog/company/security-update-tassos-framework-patch-released#what-you-need-to-do

Be sure to check this afterwards

  1. Log in to the Joomla backend
  2. Go to System - Plugins
  3. Search for Tassos Framework
  4. Check whether the installed framework version is 6.0.62 or higher

If 6.0.62 or higher is displayed there, the security vulnerability is closed according to the vendor.

Important special case: The framework may still be present even after uninstallation

A particularly important point from the official vendor notice: The framework may still be present on the website even if a Tassos extension was uninstalled at some point in the past. The reason is that the plugin is not automatically removed as a shared dependency in order to avoid damaging other extensions.

Therefore, you should check even if you believe you are no longer using the extension in question:

  1. Log in to the Joomla backend
  2. Go to Extensions - Plugins or System - Plugins
  3. Search for Tassos Framework
  4. If the plugin is still present:
    • fully update it if you are actively using a Tassos extension
    • manually uninstall it if it is no longer in use

This point in particular is likely to be crucial for many affected websites, because such leftovers are easily overlooked in day-to-day operations.

How to recognize a possible compromise

If a vulnerable version was installed on your website, you should not only update it, but also check for signs of compromise. Suspicious indicators include:

  • unknown admin users
  • suspicious PHP files in upload, cache, or temporary directories
  • manipulated template or extension files
  • suspicious requests related to com_ajax and plugin=nrframework in the server logs
  • spam pages, redirects, or unusual SEO artifacts in the Google index

Important: a successfully applied update does not automatically mean the website is already clean.

Conclusion

The vulnerability in the Tassos Framework, or Novarain Framework, is particularly dangerous because many Joomla site operators are not even aware of it at first. Anyone who uses or previously used Tassos extensions should now actively check whether plg_system_nrframework is still installed, update the affected extensions, and verify the framework version.

And just as important: if there are signs of an attack, you should not only patch the issue, but also fully inspect the website and clean it if necessary.

FAQ

What is CVE-2026-21627?

This is the identifier of the critical vulnerability in the Joomla plugin plg_system_nrframework, namely in the Tassos or Novarain Framework.

Is Joomla itself affected?

No, the Joomla core is not affected, but the additional framework plugin is.

Is it enough to update just one Tassos extension?

Yes, according to the vendor, this is sufficient in many cases because the shared framework is updated automatically in the process.

Which framework version should be installed after the update?

After the update, Tassos Framework v6.0.62 or higher should be installed.

Is an update always enough?

No. If the website has already been compromised, you must also check whether malware, backdoors, or other manipulations are present.

Details
Last Updated: 04 April 2026

Additional services

What our customers say about us

“The migration of our Joomla website from PHP 5.3 to PHP 7 was completed super quickly, affordably, and with flawless results. Very good and friendly communication.”
– H. Bergmann

“Everything was handled within one day, extremely professionally and extremely quickly. Very trustworthy. Excellent. 5 stars”
– Fernando V.

“I didn’t know how to help myself, but here I found the expertise needed to get everything cleaned up again. Necessary updates and backups were done — all extremely affordable, fast, and well executed!”
– Klaus-Peter

“The site looks great — everything just like before — and now under PHP 7.2 — I’m impressed, many heartfelt thanks!”
– Dr. Ingo Wuddel

“Since we run an online shop, it was very important for us that our website was quickly available again with full functionality for our customers. All work was carried out extremely quickly to our complete satisfaction.” – Löwen Handels GmbH

“Very fast, professional, and effective handling of the problem. In addition, I was given tips and Strato-specific information to reduce the risk of the problem recurring.”
– Heino B.

“The contact was especially friendly, and some additional cosmetic work was taken on proactively — as if it were the most natural thing in the world. I am relieved and very grateful.”
– R. Mayer

“Excellent. In an absolute emergency, when 2 domains were blocked by Strato due to a hacker attack, both domains were temporarily brought back online the very same day.”
– I. Radchenko

“Outstanding service. Problem solved within 18 hours. We are delighted. Thank you very much 🙏”
– Tien Sy Vuong

Website-Bereinigung.de Support Service
5.0 205 Reviews > 5
Google Reviews

Contact options

This email address is being protected from spambots. You need JavaScript enabled to view it.
Contact form

Schedule a call
+49 (0)2406 969796
Mon. - Fri. | 9 am - 9 pm