CVE-2026-49977
tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.33.0, tarteaucitron.cookie.purge() is called on any element with th
CVSS
4.3
Medio
EPSS
—
KEV
—
Exploit Today
—
0-100
Publicado: 17 jul 2026 · Última mod.: 17 jul 2026 · CWE-285
Sin historial EPSS suficiente todavía.
tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.33.0, tarteaucitron.cookie.purge() is called on any element with the purgeBtn class and does not check whether the element is a legitimate tarteaucitron button or whether the cookie corresponds to a service handled by tarteaucitron. If an attacker can write HTML with data attributes, an element with data-cookie can silently delete a non-HttpOnly cookie with a known name when clicked by a user. This issue is fixed in version 1.33.0.
- github.comhttps://github.com/AmauriC/tarteaucitron.js/commit/24b5464400ae2ff1ad96a092c629b9d632b9cc93
- github.comhttps://github.com/AmauriC/tarteaucitron.js/releases/tag/v1.33.0
- github.comhttps://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-jxj7-g6gm-49j7
- www.drupal.orghttps://www.drupal.org/sa-contrib-2026-040