CVE-2026-49977 with a CVSS score of 4.3 is a vulnerability affecting tarteaucitronjs versions < 1.33.0 in the tarteaucitron library that allows an attacker to delete arbitrary cookies by creating an element with a data attribute and tricking a user into clicking on it. The vulnerability exists because the library does not check if the element is a legitimate button or if the cookie corresponds to a service handled by tarteaucitron, allowing an attacker to silently delete a cookie when clicked. This flaw type affects the cookie management functionality of the library and can be exploited via user interaction, requiring no privileges and having a low impact on confidentiality, integrity, and availability. The business impact is limited because this only works on cookies without HttpOnly=true and the attacker has to know the name of the cookie.
We recommend you to update tarteaucitronjs to version 1.33.0.[/subscribe_to_unlock_form]
CVE-2026-49977 with a CVSS score of 4.3 is a vulnerability affecting tarteaucitronjs versions < 1.33.0 in the tarteaucitron library that allows an attacker to delete arbitrary cookies by creating an element with a data attribute and tricking a user into clicking on it. The vulnerability exists because the library does not check if the element is a legitimate button or if the cookie corresponds to a service handled by tarteaucitron, allowing an attacker to silently delete a cookie when clicked. This flaw type affects the cookie management functionality of the library and can be exploited via user interaction, requiring no privileges and having a low impact on confidentiality, integrity, and availability. The business impact is limited because this only works on cookies without HttpOnly=true and the attacker has to know the name of the cookie.
We recommend you to update tarteaucitronjs to version 1.33.0.[emaillocker id="1283"]
The following reports contain further technical details:
[/emaillocker]