Cookie Purging Vulnerability in Tarteaucitron.js by Amauri C
CVE-2026-49977

4.3MEDIUM

Key Information:

Vendor

Amauric

Vendor
CVE Published:
17 July 2026

What is CVE-2026-49977?

Tarteaucitron.js, a popular cookie consent management tool, suffers from a vulnerability that allows for the improper purging of cookies. In versions prior to 1.33.0, the tarteaucitron.cookie.purge() function can be executed on any element with the purgeBtn class without validating if the element is an authentic Tarteaucitron button or if the cookie being purged corresponds to a service managed by Tarteaucitron. This weakness enables an attacker with the ability to inject HTML with required data attributes to silently delete non-HttpOnly cookies merely through user interaction. Users are advised to upgrade to version 1.33.0 to mitigate this issue effectively.

Affected Version(s)

tarteaucitron.js < 1.33.0

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.