Fwd: Security Update: Arbitrary File Deletion Vulnerability Fixed

[Dorothy Firsching]

Yikes! Go fix it.

---------- Forwarded message ---------
From: Tassos Marinos <in...@tassos.gr>
Date: Wed, May 20, 2026 at 9:29 PM
Subject: Security Update: Arbitrary File Deletion Vulnerability Fixed

A security vulnerability affecting file upload fields in our extensions has been fixed — update now to protect your site. ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

Hey there, A security vulnerability was recently discovered and fixed in the Tassos Framework plugin, which is shared across all our extensions. The issue allowed anyone to send a crafted delete request targeting files they didn't upload, including files outside the upload folder, with no login required. The affected extensions are Advanced Custom Fields (File Upload and Gallery fields), Convert Forms (File Upload field), and Smile Pack (Gallery module). The vulnerability is now fully resolved. To protect your site, update to the patched versions listed in the article, updating any one extension is enough to pull in the fix. Read the full security update Best regards, Tassos Marinos Lead Developer Feel free to join our Facebook Community to connect with others who use our Joomla extensions ‍Smile Motive Development LP Greece, Kos. Ethnikis Antistaseos, 85300