---
title: "Security Update: Tassos Framework Patch Released"
description: "On January 7th, 2026, an independent security researcher, p1r0x, working with SSD Secure Disclosure, responsibly reported a vulnerability in the Tasso"
url: "https://www.tassos.gr/blog/company/security-update-tassos-framework-patch-released"
date: "2026-04-07T17:12:47+00:00"
language: "en-GB"
---

#  Security Update: Tassos Framework Patch Released

 ![Tassos Marinos](https://www.gravatar.com/avatar/cc4c5cd6974bf2cd8bfa2d6efcc60843?s=48)  Tassos Marinos  [Follow](https://x.com/tassosm)

 Published in [Company News](https://www.tassos.gr/blog/company)

 Feb 18 2026

 3 min read

 Last updated one week ago

 ![Security Update: Tassos Framework Patch Released](https://www.tassos.gr/images/2026/02/security_update.png#joomlaImage://local-images/2026/02/security_update.png?width=800&height=480)On January 7th, 2026, an independent security researcher, **p1r0x**, working with [SSD Secure Disclosure](https://ssd-disclosure.com), responsibly reported a vulnerability in the Tassos Framework system plugin, which is included in our Joomla extensions.

Upon receiving the report, we immediately conducted a full internal code review, implemented additional validation and hardening measures, and released patched versions of all affected extensions. The issue has now been fully resolved.

## [What was the issue?](#what-was-the-issue)

The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s `com_ajax` entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.

In a worst-case scenario, this could have allowed an unauthenticated actor to read files accessible to the web server. It could also have enabled deleting files from the server when specific conditions were met.

Under certain circumstances, database queries could have been manipulated to extract data from the Joomla database. In combination, these capabilities could potentially have been used to escalate access and execute unauthorized code.

There is currently no evidence that this vulnerability has been exploited in the wild.

## [Who is affected?](#who-is-affected)

All Joomla extensions that include the Tassos Framework plugin are affected if running unpatched versions, including:

- Convert Forms
- EngageBox
- Google Structured Data
- Advanced Custom Fields
- Smile Pack

Because the framework is shared, the fix applies globally once updated.

## [What you need to do](#what-you-need-to-do)

Install the patched version of your extension according to your Joomla version:

 | Extension | Joomla 4 / 5 / 6 | Joomla 3 |  |
|---|---|---|---|
| Convert Forms | [v5.1.1](https://www.tassos.gr/releases/convert-forms/convert-forms-5-1-1) or later | [v4.4.11](https://www.tassos.gr/releases/convert-forms/convert-forms-4-4-11) |  |
| EngageBox | [v7.1.1](https://www.tassos.gr/releases/engagebox/engagebox-7-1-1) or later | [v6.3.9](https://www.tassos.gr/releases/engagebox/engagebox-6-3-9) |  |
| Google Structured Data | [v6.1.1](https://www.tassos.gr/releases/google-structured-data/google-structured-data-6-1-1) or later | [v5.6.9](https://www.tassos.gr/releases/google-structured-data/google-structured-data-5-6-9) |  |
| Advanced Custom Fields | [v3.1.1](https://www.tassos.gr/releases/advanced-custom-fields/advanced-custom-fields-3-1-1) or later | [v2.8.10](https://www.tassos.gr/releases/advanced-custom-fields/advanced-custom-fields-2-8-10) |  |
| Smile Pack | [v2.1.1](https://www.tassos.gr/releases/smile-pack/smile-pack-2-1-1) or later | [v1.2.4](https://www.tassos.gr/releases/smile-pack/smile-pack-1-2-4) |  |
| MailChimp Auto-Subscribe | [v5.1.1](https://www.tassos.gr/releases/mailchimp-auto-subscribe/mailchimp-auto-subscribe-5-1-1) or later | [v5.0.4](https://www.tassos.gr/releases/mailchimp-auto-subscribe/mailchimp-auto-subscribe-5-0-4) |  |

All of the above releases include the updated **Tassos Framework System Plugin v6.0.62**, which contains the security fix.

Because all our extensions share the same underlying framework plugin, you only need to update one of your installed Tassos extensions. The framework will be updated automatically as part of that process.

If you have multiple Tassos extensions installed, updating just one is sufficient to apply the patch. However, keeping all extensions up to date is always recommended.

### [Verify the Framework version](#verify-the-framework-version)

After updating:

1. Log in to your Joomla Administrator
2. Go to System → Plugins
3. Search for Tassos Framework
4. Confirm the version is 6.0.62 or later

If the Tassos Framework version is 6.0.62 or later, your website is protected against this vulnerability.

## [Important: Check for Leftover Framework Plugin](#important-check-for-leftover-framework-plugin)

If you have installed a Tassos extension and later uninstalled it, the Tassos Framework plugin may still be present on your site.

This happens because the framework is shared across multiple Tassos extensions and is not automatically removed during uninstall, to avoid breaking other extensions that may still depend on it. As a result, the plugin may remain installed even when no Tassos extensions are installed.

We strongly recommend checking your Joomla installation:

1. Log in to your Joomla Administrator
2. Go to Extensions → Plugins
3. Search for Tassos Framework
4. If the plugin is found:
    - If you are still using any Tassos extension, make sure it is updated to the latest version
    - If you are no longer using any Tassos extensions, you should manually uninstall the plugin

Removing it ensures your site is not exposed unnecessarily.

## [Responsible disclosure](#responsible-disclosure)

We thank the independent security researcher who responsibly reported this issue. Upon notification, we immediately investigated, implemented fixes, and released patched versions.

Security remains a top priority for us. If you need assistance updating or have any questions, please open a support ticket, and we will assist you promptly.

## Schema

```json
{
    "@context": "https://schema.org",
    "@type": "BreadcrumbList",
    "itemListElement": [
        {
            "@type": "ListItem",
            "position": 1,
            "name": "Home",
            "item": "https://www.tassos.gr"
        },
        {
            "@type": "ListItem",
            "position": 2,
            "name": "Blog",
            "item": "https://www.tassos.gr/blog"
        },
        {
            "@type": "ListItem",
            "position": 3,
            "name": "Company News",
            "item": "https://www.tassos.gr/blog/company"
        },
        {
            "@type": "ListItem",
            "position": 4,
            "name": "Security Update: Tassos Framework Patch Released",
            "item": "https://www.tassos.gr/blog/company/security-update-tassos-framework-patch-released"
        }
    ]
}
```

```json
{
    "@context": "https://schema.org",
    "@type": "BlogPosting",
    "mainEntityOfPage": {
        "@type": "WebPage",
        "@id": "https://www.tassos.gr/blog/company/security-update-tassos-framework-patch-released"
    },
    "headline": "Security Update: Tassos Framework Patch Released",
    "image": {
        "@type": "ImageObject",
        "url": "https://www.tassos.gr/images/2026/02/security_update.png"
    },
    "publisher": {
        "@type": "Organization",
        "name": "Tassos",
        "logo": {
            "@type": "ImageObject",
            "url": "https://www.tassos.gr/https://www.tassos.gr/media/brand/logo-text.png"
        }
    },
    "author": {
        "@type": "Person",
        "name": "Tassos Marinos",
        "url": "https://x.com/tassosm"
    },
    "datePublished": "2026-02-18T13:43:52+02:00",
    "dateCreated": "2026-02-18T13:41:37+02:00",
    "dateModified": "2026-03-31T15:01:33+03:00"
}
```