CVE-2026-22809: tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability

January 13, 2026

A potential Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter.

References

github.com/AmauriC/tarteaucitron.js
github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52
github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm
github.com/advisories/GHSA-q5f6-qxm2-mcqm
nvd.nist.gov/vuln/detail/CVE-2026-22809

Code Behaviors & Features

Detect and mitigate CVE-2026-22809 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →