Joomla security vulnerability in the Tassos Framework / Novarain Framework

Many Joomla site owners do not even realize that the Tassos Framework or the earlier Novarain Framework is installed on their website at all. That is exactly what makes this vulnerability so troublesome: it affects the plg_system_nrframework plugin, which often runs quietly in the background as a technical dependency.

The vulnerability is tracked under CVE-2026-21627 and is classified as critical (9.5 out of 10). What is especially problematic is that attacks may be possible without a login. In addition, a public exploit tool is already known. Anyone operating or maintaining Joomla websites with Tassos extensions should therefore not put this off, but check now.

Contents

What exactly is this about?

The vulnerability does not affect the Joomla core itself, but the system plugin plg_system_nrframework. Technically, the issue is related to certain AJAX requests via com_ajax. In unfavorable cases, this can enable, among other things, file access, file deletion, or database access - without an attacker having to log in normally beforehand.

What makes this especially tricky is that the framework was often installed together with extensions such as Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, Smile Pack or MailChimp Auto-Subscribe. Many site operators therefore never consciously noticed the actual framework name.

Which websites are affected?

Affected are Joomla websites on which the Tassos or Novarain framework is installed. Typically, you will find it under this path:

/plugins/system/nrframework/

Important files include, among others:

/plugins/system/nrframework/nrframework.php
/plugins/system/nrframework/nrframework.xml

If these files are present, the framework is installed. According to the published information, versions from 4.10.14 to 6.0.37 are considered vulnerable in particular.

Why this vulnerability is so dangerous in practice

In practice, vulnerabilities like this are often more dangerous than many standard updates because they are easy to overlook. The framework often runs quietly in the background, even though the actual Joomla site appears unremarkable at first glance. At the same time, a simple update can close the security gap - but it does not automatically remove malicious code that may already have been implanted.

In concrete terms, this means: if a website has already been compromised, “just updating” is not enough. In that case, files, user accounts, logs, and typical backdoor traces must also be checked.

Important special case: The framework can still be present after uninstallation

A particularly important point from the official vendor notice: The framework can still be present on the website even if a Tassos extension was uninstalled earlier. The reason is that the plugin is not automatically removed as a shared dependency so as not to break other extensions.

That is why you should check even if you believe you are no longer using the extension in question:

1. Log in to the Joomla backend
2. Go to Extensions - Plugins or System - Plugins
3. Search for Tassos Framework
4. If the plugin is still present:
   • fully update if you are actively using a Tassos extension
   • manually uninstall if it is no longer in use

This point is likely crucial for many affected websites, because such remnants are easy to overlook in day-to-day operations.

How to recognize a possible compromise

If a vulnerable version was installed on your website, you should not only update it, but also check for signs of compromise. Suspicious indicators include:

• unknown admin users
• suspicious PHP files in upload, cache, or temporary directories
• tampered template or extension files
• noticeable requests around com_ajax and plugin=nrframework in the server logs
• spam pages, redirects, or unusual SEO artifacts in the Google index

Important: A successfully applied update does not automatically mean the website is already clean.

Conclusion

The security vulnerability in the Tassos Framework, or Novarain Framework, is especially dangerous because many Joomla operators do not initially have it on their radar. Anyone using or having used Tassos extensions should now actively check whether plg_system_nrframework is still installed, update the affected extensions, and verify the framework version.

And just as importantly: if there are signs of an attack, you should not only patch the issue, but also fully inspect the website and clean it up if necessary.

FAQ

What is CVE-2026-21627?

This is the identifier for the critical security vulnerability in the Joomla plugin plg_system_nrframework, i.e. in the Tassos or Novarain Framework.

Is Joomla itself affected?

No, the Joomla core is not affected, but rather the additional framework plugin.

Is it enough to update only a Tassos extension?

Yes, according to the manufacturer this is sufficient in many cases, because the shared framework is updated automatically as well.

Which framework version should be installed after the update?

After the update, Tassos Framework v6.0.62 or higher should be installed.

Is an update always enough?

No. If the website has already been compromised, you must also check whether malicious code, backdoors, or other manipulations are present.

• Previous
• Next