CVE-2026-49977
CVE-2026-49977CVE-2026-49977
Description
tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.33.0, tarteaucitron.cookie.purge() is called on any element with the purgeBtn class and does not check whether the element is a legitimate tarteaucitron button or whether the cookie corresponds to a service handled by tarteaucitron. If an attacker can write HTML with data attributes, an element with data-cookie can silently delete a non-HttpOnly cookie with a known name when clicked by a user. This issue is fixed in version 1.33.0.
Scoring
| CVSS | 4.3 () |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
| Last modified | 2026-07-17 |