Improper Authorization Affecting tarteaucitronjs package, versions <1.33.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Authorization vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-TARTEAUCITRONJS-17950992
  • published11 Jul 2026
  • disclosed10 Jul 2026
  • creditUnknown

Introduced: 10 Jul 2026

NewCVE-2026-49977  (opens in a new tab)
CWE-285  (opens in a new tab)

How to fix?

Upgrade tarteaucitronjs to version 1.33.0 or higher.

Overview

tarteaucitronjs is a package that provides compliance to the European cookie law.

Affected versions of this package are vulnerable to Improper Authorization via the purgeBtn process. An attacker can cause unintended deletion of arbitrary cookies by tricking a user into clicking a crafted element with a specific data-cookie attribute. This is only exploitable if the attacker can inject HTML with data attributes and knows the name of a non-HttpOnly cookie.

CVSS Base Scores

version 4.0
version 3.1