tarteaucitron.js CVE-2026-49977
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
AC:H reflects the compound requirement of knowing the exact target cookie name and confirming it lacks HttpOnly; all other metrics align with the provided vector.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
tarteaucitron provides a list of cookies and buttons to delete them. If an attacker can write HTML with data attributes, they could create an element that silently deletes a cookie when clicked and trick a user to delete this cookie.
Details
tarteaucitron.cookie.purge() is called on any element with the purgeBtn class. It does not check if the element is a legitimate tarteaucitron button or if the cookie corresponds to a service handled by tarteaucitron.
PoC
<a class="purgeBtn" data-cookie="foo">Click me!</a>If someone has a cookie with this name and clicks on the link, the cookie is silently deleted.
Impact
The impact is limited because this only works on cookies without HttpOnly=true and the attacker has to know the name of the cookie.
AnalysisAI
Cookie deletion via unauthorized class-based invocation in tarteaucitron.js allows an attacker with HTML injection capability to silently delete browser cookies by placing arbitrary elements bearing the purgeBtn CSS class in a page that loads the library. The tarteaucitron.cookie.purge() function responds to any matching DOM element without verifying whether it was created by the library itself or whether the specified cookie belongs to a tarteaucitron-managed service, enabling targeted cookie removal against visitors who interact with the crafted element. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three conditions must all be satisfied simultaneously: (1) The attacker must control or inject HTML with arbitrary class and data-* attributes into a page that loads tarteaucitron.js - this requires an independent injection vulnerability in the host application such as stored XSS, unsanitized user-generated content rendering, or template injection; (2) The targeted cookie must not carry the HttpOnly flag - any cookie with HttpOnly=true is unreachable by JavaScript and fully immune to this attack; (3) The attacker must know the exact name of the cookie to target. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The GitHub advisory assigns CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (4.3 Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers a stored HTML injection flaw in a web application's comment system that also loads tarteaucitron.js. They post a comment containing `<a class='purgeBtn' data-cookie='user_lang_pref'>Click to claim your prize</a>`. … |
| Remediation | Consult the upstream GitHub advisory at https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-jxj7-g6gm-49j7 for a patched release; no specific fixed version is confirmed from the available intelligence data, so fix status must be verified directly with the maintainer. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jxj7-g6gm-49j7