CVE-2026-22809 - Vulnerability Details

tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Amauri	Tarteaucitronjs

Configuration 1 [-]

cpe:2.3:a:amauri:tarteaucitronjs:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52
https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm

History

Tue, 20 Jan 2026 17:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:amauri:tarteaucitronjs::::::node.js::*

Wed, 14 Jan 2026 11:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amauri Amauri tarteaucitronjs
Vendors & Products		Amauri Amauri tarteaucitronjs

Tue, 13 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 13 Jan 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0.
Title		tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability
Weaknesses		CWE-1333
References		https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52 https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm
Metrics		cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-13T19:36:21.582Z

Updated: 2026-01-13T19:47:24.567Z

Reserved: 2026-01-09T22:50:10.288Z

Link: CVE-2026-22809

Vulnrichment

Updated: 2026-01-13T19:47:21.789Z

NVD

Status : Analyzed

Published: 2026-01-13T20:16:11.263

Modified: 2026-01-20T16:49:02.293

Link: CVE-2026-22809

Redhat

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object