tarteaucitronjs (TacJS Drupal Module), Improper Input Validation – Arbitrary Cookie Deletion, CVE-2026-49977 (Moderate) -DC-Jul2026-856

Listen to this Post

tarteaucitron.js is a popular open-source cookie consent management library that provides websites with a compliant and accessible cookie banner for GDPR and European cookie law compliance. The library includes a built-in cookie management interface that displays a list of cookies and provides “purge” buttons allowing users to delete individual cookies directly from the banner.
The vulnerability identified as CVE-2026-49977 resides in the `tarteaucitron.cookie.purge()` function, which is invoked on any DOM element that bears the `purgeBtn` CSS class. The core issue is that this function does not perform any validation to verify that:
1. The clicked element is a legitimate tarteaucitron button generated by the library itself
2. The cookie being targeted corresponds to a service actually managed by tarteaucitron
The `data-cookie` HTML attribute is used to specify which cookie should be deleted when a purge button is clicked. Because the library blindly trusts this attribute without sanitization or whitelisting, an attacker who can inject arbitrary HTML into a page can create a malicious element with the `purgeBtn` class and a `data-cookie` attribute pointing to any cookie name.
When a user clicks on this attacker-controlled element, `tarteaucitron.cookie.purge()` executes and silently deletes the specified cookie without any user confirmation or notification. This effectively allows an attacker to delete arbitrary cookies from the user’s browser, provided the cookies do not have the `HttpOnly` flag set.
The attack requires the attacker to have the ability to insert specific data attributes into the page markup—a capability typically available through stored XSS vulnerabilities, malicious CMS plugin configurations, or privileged content editing access. The impact is somewhat limited as cookies with `HttpOnly=true` are protected from JavaScript access and cannot be deleted through this vector, and the attacker must know the exact name of the target cookie.

DailyCVE Form:

Platform: Drupal (TacJS module)
Version: TacJS module (unspecified vulnerable versions)
Vulnerability: Arbitrary cookie deletion
Severity: Moderate
Date: June 3, 2026

Prediction: July 17, 2026

What Undercode Say:

Check if a Drupal site is using the vulnerable TacJS module
drush pm-list --type=module --status=enabled | grep tacjs
Alternative: Check via Drupal database
drush sqlq "SELECT name, status FROM system WHERE type='module' AND name LIKE '%tac%'"
Check installed version of tarteaucitron.js library
grep -r "tarteaucitron.js" /path/to/drupal/web/modules/contrib/tacjs/
Search for purgeBtn class usage in rendered HTML
curl -s https://target-site.com | grep -i "purgeBtn"
Test for the vulnerability by injecting a test element (proof of concept)
Note: This requires the ability to inject HTML into the page

PoC HTML injection:

<!-- Malicious element that deletes a cookie when clicked -->
<a href="" class="purgeBtn" data-cookie="session_token">Click here for discount</a>
<!-- Target a common cookie name -->

<div class="purgeBtn" data-cookie="user_session">Delete</div>

<!-- Target authentication cookies (if HttpOnly=false) -->
<button class="purgeBtn" data-cookie="auth_token">Submit</button>

JavaScript analysis:

// The vulnerable function in tarteaucitron.js
tarteaucitron.cookie.purge = function() {
var purgeBtns = document.querySelectorAll('.purgeBtn');
for (var i = 0; i < purgeBtns.length; i++) {
purgeBtns[bash].addEventListener('click', function(e) {
var cookieName = this.getAttribute('data-cookie');
// No validation - directly deletes the cookie
tarteaucitron.cookie.delete(cookieName);
});
}
};

Exploit:

To exploit CVE-2026-49977, an attacker must first gain the ability to inject HTML markup containing specific data attributes into a page where tarteaucitron.js is loaded. This can be achieved through:
1. Stored XSS: Injecting malicious content into a forum post, comment, or any user-generated content field that is not properly sanitized
2. CMS Plugin Access: Gaining high-privilege access to the site’s source code or a CMS plugin configuration
3. Compromised Editor Accounts: Using stolen credentials of content editors who have permission to add raw HTML
Once the attacker can inject HTML, they create an element with:
– The `purgeBtn` class (to trigger the event listener)
– A `data-cookie` attribute set to the name of the target cookie
When a user clicks the malicious element, the `tarteaucitron.cookie.purge()` function executes and silently deletes the specified cookie without any confirmation dialog, visual indication, or logging.

Example attack scenario:

<!-- Hidden malicious element -->
<span class="purgeBtn" data-cookie="user_preferences" style="display:none;"></span>
<!-- Visible decoy that triggers the hidden element -->
<a href="" onclick="document.querySelector('.purgeBtn').click();">Special Offer</a>

This could delete session cookies, preference cookies, or any other non-HttpOnly cookie, potentially causing:
– User session disruption
– Loss of saved preferences
– De-authentication (if the session cookie is not HttpOnly)
– Disruption of tracking or analytics

Protection:

Immediate Actions:

  1. Update the TacJS module to the patched version as soon as it becomes available from Drupal.org
  2. Upgrade tarteaucitron.js to version 1.22.0 or higher if using the standalone library

Code-Level Mitigations:

// Implement input validation in the purge function
tarteaucitron.cookie.purge = function() {
var purgeBtns = document.querySelectorAll('.purgeBtn');
var allowedCookies = ['cookie1', 'cookie2', 'cookie3']; // Whitelist
for (var i = 0; i < purgeBtns.length; i++) {
purgeBtns[bash].addEventListener('click', function(e) {
var cookieName = this.getAttribute('data-cookie');
// Validate that the cookie is in the allowed list
if (allowedCookies.indexOf(cookieName) !== -1) {
tarteaucitron.cookie.delete(cookieName);
} else {
console.warn('Attempted to delete unauthorized cookie:', cookieName);
}
});
}
};

Additional Protections:

  • Set the `HttpOnly` flag on all sensitive cookies (session tokens, authentication cookies) to prevent JavaScript from accessing or deleting them
  • Implement proper input sanitization and output encoding for all user-supplied content
  • Use Content Security Policy (CSP) to restrict inline script execution and unauthorized DOM manipulation
  • Regularly audit user-generated content and sanitize HTML attributes
  • Apply the principle of least privilege to content editors and CMS users

Impact:

Technical Impact:

  • Confidentiality: None – cookies are deleted, not exposed
  • Integrity: Low – unauthorized deletion of cookies can disrupt user experience
  • Availability: Low – may cause session termination or loss of preferences

Business Impact:

  • Users may be unexpectedly logged out if session cookies are deleted
  • Loss of user preferences leading to degraded user experience
  • Disruption of analytics and tracking systems
  • Potential for social engineering attacks (users clicking on decoy elements)
  • Reputational damage if the vulnerability is exploited in the wild

Limitations:

  • Only affects cookies without `HttpOnly=true` flag
  • Attacker must know the exact name of the target cookie
  • Requires the ability to inject HTML with specific data attributes
  • Does not lead to remote code execution or data exfiltration

CVSS Score: Moderate (estimated 4.3-5.4)

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low (requires content injection capability)
  • User Interaction: Required (user must click the malicious element)
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top