DRUPAL-CONTRIB-2026-040

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tacjs/DRUPAL-CONTRIB-2026-040.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-040
Aliases
  • CVE-2026-49977
Published
2026-06-03T16:11:51Z
Modified
2026-06-04T20:00:04.454410458Z
Summary
[none]
Details

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies.

This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page.

For additional information, see the Github Security Advisory GHSA-jxj7-g6gm-49j7 for the tarteaucitron.js library.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/tacjs

Package

Name
drupal/tacjs
Purl
pkg:composer/drupal%2Ftacjs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.8.0
Database specific 
{
    "constraint": "<6.8"
}

Database specific

affected_versions 
"<6.8"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tacjs/DRUPAL-CONTRIB-2026-040.json"