Threat Advisory

Tarteaucitron Flaw Deletes Arbitrary Cookies Without User Consent

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-49977 with a CVSS score of 4.3 is a vulnerability affecting tarteaucitronjs versions < 1.33.0 in the tarteaucitron library that allows an attacker to delete arbitrary cookies by creating an element with a data attribute and tricking a user into clicking on it. The vulnerability exists because the library does not check if the element is a legitimate button or if the cookie corresponds to a service handled by tarteaucitron, allowing an attacker to silently delete a cookie when clicked. This flaw type affects the cookie management functionality of the library and can be exploited via user interaction, requiring no privileges and having a low impact on confidentiality, integrity, and availability. The business impact is limited because this only works on cookies without HttpOnly=true and the attacker has to know the name of the cookie.

RECOMMENDATION:

We recommend you to update tarteaucitronjs to version 1.33.0.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-49977 with a CVSS score of 4.3 is a vulnerability affecting tarteaucitronjs versions < 1.33.0 in the tarteaucitron library that allows an attacker to delete arbitrary cookies by creating an element with a data attribute and tricking a user into clicking on it. The vulnerability exists because the library does not check if the element is a legitimate button or if the cookie corresponds to a service handled by tarteaucitron, allowing an attacker to silently delete a cookie when clicked. This flaw type affects the cookie management functionality of the library and can be exploited via user interaction, requiring no privileges and having a low impact on confidentiality, integrity, and availability. The business impact is limited because this only works on cookies without HttpOnly=true and the attacker has to know the name of the cookie.

RECOMMENDATION:

We recommend you to update tarteaucitronjs to version 1.33.0.[emaillocker id="1283"]

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu