CVE-2026-49977: tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies
tarteaucitron provides a list of cookies and buttons to delete them. If an attacker can write HTML with data attributes, they could create an element that silently deletes a cookie when clicked and trick a user to delete this cookie.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-49977 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →