PatchSiren cyber security CVE debrief
CVE-2026-49977 AmauriC CVE debrief
A vulnerability in tarteaucitron.js, a compliant and accessible cookie banner, was discovered prior to version 1.33.0. The issue arises from the tarteaucitron.cookie.purge() function being called on any element with the purgeBtn class without verifying if the element is a legitimate tarteaucitron button or if the cookie corresponds to a service handled by tarteaucitron. This allows an attacker to write HTML with data attributes and silently delete a non-HttpOnly cookie with a known name when clicked by a user. The vulnerability is fixed in version 1.33.0.
- Vendor
- AmauriC
- Product
- tarteaucitron.js
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Developers and administrators using tarteaucitron.js in their web applications should be aware of this vulnerability and ensure they are using version 1.33.0 or later to prevent potential cookie deletion attacks. They should also verify and validate user input for elements with the purgeBtn class and implement additional security measures to protect against cookie deletion attacks.
Technical summary
The vulnerability in tarteaucitron.js, a compliant and accessible cookie banner, is caused by the lack of validation in the tarteaucitron.cookie.purge() function. This function is called on any element with the purgeBtn class, which can be exploited by an attacker to delete non-HttpOnly cookies with known names. The issue arises because the function does not verify if the element is a legitimate tarteaucitron button or if the cookie corresponds to a service handled by tarteaucitron. This allows an attacker to write HTML with data attributes and silently delete a non-HttpOnly cookie with a known name when clicked by a user. The vulnerability is fixed in version 1.33.0 of tarteaucitron.js, where the function now properly checks for legitimate buttons and corresponding services before deleting cookies.
Defensive priority
Medium
Recommended defensive actions
- Update tarteaucitron.js to version 1.33.0 or later
- Verify and validate user input for elements with the purgeBtn class
- Implement additional security measures to protect against cookie deletion attacks
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The vulnerability was discovered and reported by an unknown source. The CVE record was published on 2026-07-17T21:17:06.930Z and has not been modified since then. The NVD entry is currently in the 'Received' status. There is limited information available about the specific details of the vulnerability and its impact. Further verification and validation are necessary to understand the full scope of the issue.
Official resources
-
CVE-2026-49977 CVE record
CVE.org
-
CVE-2026-49977 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T21:17:06.930Z and has not been modified since then. The NVD entry is currently Received.