Skip to main content

tarteaucitron.js CVE-2026-49977

MEDIUM
Improper Authorization (CWE-285)
2026-07-10 https://github.com/AmauriC/tarteaucitron.js GHSA-jxj7-g6gm-49j7
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
3.1 LOW

AC:H reflects the compound requirement of knowing the exact target cookie name and confirming it lacks HttpOnly; all other metrics align with the provided vector.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 16:39 vuln.today

DescriptionGitHub Advisory

Summary

tarteaucitron provides a list of cookies and buttons to delete them. If an attacker can write HTML with data attributes, they could create an element that silently deletes a cookie when clicked and trick a user to delete this cookie.

Details

tarteaucitron.cookie.purge() is called on any element with the purgeBtn class. It does not check if the element is a legitimate tarteaucitron button or if the cookie corresponds to a service handled by tarteaucitron.

PoC

html
<a class="purgeBtn" data-cookie="foo">Click me!</a>

If someone has a cookie with this name and clicks on the link, the cookie is silently deleted.

Impact

The impact is limited because this only works on cookies without HttpOnly=true and the attacker has to know the name of the cookie.

AnalysisAI

Cookie deletion via unauthorized class-based invocation in tarteaucitron.js allows an attacker with HTML injection capability to silently delete browser cookies by placing arbitrary elements bearing the purgeBtn CSS class in a page that loads the library. The tarteaucitron.cookie.purge() function responds to any matching DOM element without verifying whether it was created by the library itself or whether the specified cookie belongs to a tarteaucitron-managed service, enabling targeted cookie removal against visitors who interact with the crafted element. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target page loading tarteaucitron.js with an HTML injection point
Delivery
Inject element with purgeBtn class and target cookie name in data-cookie attribute
Exploit
Social-engineer victim to click the crafted element
Execution
tarteaucitron.cookie.purge() invoked without origin or scope validation
Impact
Non-HttpOnly cookie silently deleted from victim's browser

Vulnerability AssessmentAI

Exploitation Three conditions must all be satisfied simultaneously: (1) The attacker must control or inject HTML with arbitrary class and data-* attributes into a page that loads tarteaucitron.js - this requires an independent injection vulnerability in the host application such as stored XSS, unsanitized user-generated content rendering, or template injection; (2) The targeted cookie must not carry the HttpOnly flag - any cookie with HttpOnly=true is unreachable by JavaScript and fully immune to this attack; (3) The attacker must know the exact name of the cookie to target. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The GitHub advisory assigns CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (4.3 Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a stored HTML injection flaw in a web application's comment system that also loads tarteaucitron.js. They post a comment containing `<a class='purgeBtn' data-cookie='user_lang_pref'>Click to claim your prize</a>`. …
Remediation Consult the upstream GitHub advisory at https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-jxj7-g6gm-49j7 for a patched release; no specific fixed version is confirmed from the available intelligence data, so fix status must be verified directly with the maintainer. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy