tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability
A potential Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter.
Advisories for Npm/Tarteaucitronjs package
2026
2025
tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript
A vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual <script> element. If an attacker injected an HTML element such as: <img name="currentScript" src="https://malicious.example.com"> it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser …
tarteaucitron.js allows url scheme injection via unfiltered inputs
A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site's source code or a CMS plugin) to enter a URL containing an insecure scheme such as javascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link.
tarteaucitron.js allows UI manipulation via unrestricted CSS injection
A vulnerability was identified in tarteaucitron.js, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to the site's source code or a CMS plugin to set values like 100%;height:100%;position:fixed;, potentially covering the entire viewport and facilitating clickjacking attacks.
tarteaucitron.js allows prototype pollution via custom text injection
A vulnerability was identified in tarteaucitron.js, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the site's source code or a CMS plugin to manipulate JavaScript object prototypes, leading to potential security risks such as data corruption or unintended code execution.
tarteaucitron Cross-site Scripting (XSS)
Versions of the package tarteaucitronjs before 1.17.0 are vulnerable to Cross-site Scripting (XSS) via the getElemWidth() and getElemHeight(). This is related to SNYK-JS-TARTEAUCITRONJS-8366541
2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository amauric/tarteaucitron.js prior to v1.13.1.