Security Update: Arbitrary File Deletion Vulnerability Fixed
On March 5th, 2026, a security researcher named Leandro Vallimasked responsibly reported an arbitrary file deletion vulnerability in the file upload and gallery fields across several of our extensions (tracked as CVE-2026-48906).
We reviewed the code, hardened the affected delete endpoints, and shipped patched versions. The issue is fully resolved.
What was the issue?
The root of the problem is in the Tassos Framework plugin, shared across all our extensions. When a visitor uploaded a file and then deleted it, the framework trusted the browser's instruction about which file to remove. It didn't check whether that file actually belonged to the upload folder.
Someone could send a crafted delete request pointing at a file they didn't upload and the server would delete it, no login required.
The fix locks deletions to the specific folder where uploaded files are stored. Any request pointing outside that folder is rejected. There's no evidence this was exploited in the wild.
The vulnerability surfaces specifically in these extensions and fields:
- Advanced Custom Fields: File Upload field and Gallery field
- Convert Forms: File Upload field
- Smile Pack: Gallery module
However, the underlying fix lives in the Tassos Framework plugin, which is shared by every Tassos extension. Any site with the framework installed could be potentially exposed, even if none of the three extensions above are in use. For this reason, we recommend updating every Tassos extension you have installed so the patched framework is pulled in regardless of which product triggers the update.
What you need to do
Update every Tassos extension installed on your site to at least the versions below. Each one ships the patched Tassos Framework, so updating all of them is the cleanest way to guarantee the fix is applied and stays applied through future updates.
| Extension | Joomla 4 / 5 / 6 | Joomla 3 |
|---|---|---|
| Convert Forms | v5.1.6 or later | v4.4.13 or later |
| EngageBox | v7.1.2 or later | v6.3.12 or later |
| Google Structured Data | v6.2.0 or later | v5.6.12 or later |
| Advanced Custom Fields | v3.1.4 or later | v2.8.13 or later |
| Smile Pack | v2.1.1 or later | v1.2.7 or later |
| Tassos Code Snippets | v1.0.1 or later | Not available |
| MailChimp Auto-Subscribe | v5.2.1 or later | v5.0.6 or later |
You only need to update 1 extension to pull in the Framework fix. Updating all of them is still the better call.
Verify your installation
After updating, confirm you're running a patched version:
- Log in to your Joomla Administrator
- Go to System → Manage → Extensions
- Confirm each affected extension is at or above the versions listed above
- Also, search for Tassos Framework, and confirm the version is 6.1 or later
If both check out, you're protected.
If you need help updating, open a support ticket and we'll sort it out.
Important: Check for Leftover Framework Plugin
If you've installed a Tassos extension and later uninstalled it, the Tassos Framework plugin may still be on your site.
The framework is shared across all Tassos extensions and isn't automatically removed on uninstall, to avoid breaking other extensions that may still depend on it. It can linger even when no Tassos extensions are active.
Check your site:
- Log in to your Joomla Administrator
- Go to Extensions → Plugins
- Search for Tassos Framework
- If the plugin is found:
- Still using a Tassos extension? Make sure it's updated to the latest version
- No longer using any Tassos extensions? Uninstall the plugin manually
Removing it ensures your site isn't exposed unnecessarily.
Featured Articles
Rated: 