CVE-2026-49977 PUBLISHED

tarteaucitron.js: data-cookie attribute can be used to delete arbitrary cookies

Assigner: GitHub_M
Reserved: 02.06.2026 Published: 17.07.2026 Updated: 17.07.2026

tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.33.0, tarteaucitron.cookie.purge() is called on any element with the purgeBtn class and does not check whether the element is a legitimate tarteaucitron button or whether the cookie corresponds to a service handled by tarteaucitron. If an attacker can write HTML with data attributes, an element with data-cookie can silently delete a non-HttpOnly cookie with a known name when clicked by a user. This issue is fixed in version 1.33.0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Product Status

Vendor AmauriC
Product tarteaucitron.js
Versions
  • Version < 1.33.0 is affected

References

Problem Types

  • CWE-285: Improper Authorization CWE