Cookie Purging Vulnerability in Tarteaucitron.js by Amauri C
CVE-2026-49977
4.3MEDIUM
What is CVE-2026-49977?
Tarteaucitron.js, a popular cookie consent management tool, suffers from a vulnerability that allows for the improper purging of cookies. In versions prior to 1.33.0, the tarteaucitron.cookie.purge() function can be executed on any element with the purgeBtn class without validating if the element is an authentic Tarteaucitron button or if the cookie being purged corresponds to a service managed by Tarteaucitron. This weakness enables an attacker with the ability to inject HTML with required data attributes to silently delete non-HttpOnly cookies merely through user interaction. Users are advised to upgrade to version 1.33.0 to mitigate this issue effectively.
Affected Version(s)
tarteaucitron.js < 1.33.0
