Moderate severityNVD Advisory· Published Jan 13, 2026· Updated Jan 13, 2026

tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability

CVE-2026-22809

Description

tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tarteaucitronjsnpm	< 1.29.0	1.29.0

Affected products

Oven Sh/Tarteaucitron.jsinferred
Range: <1.29.0
Package: https://npmjs.com/package/tarteaucitron.js

Patches

f0bbdac2fdf3

Security: fix potential Redos

https://github.com/AmauriC/tarteaucitron.jsAmauriJan 12, 2026via ghsa

commit

2 files changed · +2 −24

tarteaucitron.services.js+1 −23 modified

@@ -2405,28 +2405,6 @@ tarteaucitron.services.aduptech_retargeting = {
     }
 };
 
-// alexa
-tarteaucitron.services.alexa = {
-    "key": "alexa",
-    "type": "analytic",
-    "name": "Alexa",
-    "uri": "https://www.alexa.com/help/privacy",
-    "needConsent": true,
-    "cookies": ['__asc', '__auc'],
-    "js": function () {
-        "use strict";
-        if (tarteaucitron.user.alexaAccountID === undefined) {
-            return;
-        }
-        window._atrk_opts = {
-            atrk_acct: tarteaucitron.user.alexaAccountID,
-            domain: window.location.hostname.match(/[^\.]*\.[^.]*$/)[0],
-            dynamic: true
-        };
-        tarteaucitron.addScript('https://d31qbv1cthcecs.cloudfront.net/atrk.js');
-    }
-};
-
 // amazon
 tarteaucitron.services.amazon = {
     "key": "amazon",
@@ -5601,7 +5579,7 @@ tarteaucitron.services.issuu = {
             }
 
 
-            if (issuu_id.match(/\d+\/\d+/)) { issuu_embed = '#' + issuu_id; } else if (issuu_id.match(/d=(.*)&u=(.*)/)) { issuu_embed = '?' + issuu_id; }
+            if (issuu_id.match(/^\d+\/\d+$/)) { issuu_embed = '#' + issuu_id; } else { issuu_embed = '?' + issuu_id; }
 
 
             issuu_frame = '<iframe title="' + frame_title + '" style="' + styleAttr + '" src="//e.issuu.com/embed.html' + issuu_embed + '"></iframe>';

tarteaucitron.services.min.js+1 −1 modified

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-q5f6-qxm2-mcqmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-22809ghsaADVISORY
github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52ghsax_refsource_MISCWEB
github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqmghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000