{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22809", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T22:50:10.288Z", "datePublished": "2026-01-13T19:36:21.582Z", "dateUpdated": "2026-01-13T19:47:24.567Z"}, "containers": {"cna": {"title": "tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm"}, {"name": "https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52", "tags": ["x_refsource_MISC"], "url": "https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52"}], "affected": [{"vendor": "AmauriC", "product": "tarteaucitron.js", "versions": [{"version": "< 1.29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-13T19:36:21.582Z"}, "descriptions": [{"lang": "en", "value": "tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0."}], "source": {"advisory": "GHSA-q5f6-qxm2-mcqm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T19:47:19.858449Z", "id": "CVE-2026-22809", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:47:24.567Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T19:47:19.858449Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:47:21.789Z"}}], "cna": {"title": "tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability", "source": {"advisory": "GHSA-q5f6-qxm2-mcqm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "AmauriC", "product": "tarteaucitron.js", "versions": [{"status": "affected", "version": "< 1.29.0"}]}], "references": [{"url": "https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm", "name": "https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52", "name": "https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-13T19:36:21.582Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22809", "state": "PUBLISHED", "dateUpdated": "2026-01-13T19:47:24.567Z", "dateReserved": "2026-01-09T22:50:10.288Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-13T19:36:21.582Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amauri:tarteaucitronjs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0BEC3231-9805-4074-93EB-2CCB444A1CA5", "versionEndExcluding": "1.29.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0."}], "id": "CVE-2026-22809", "lastModified": "2026-01-20T16:49:02.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-13T20:16:11.263", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Patch"], "url": "https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:21:11.274394+00:00", "value": {"mitigation_remediation": ["Upgrade tarteaucitron.js to version 1.29.0 or later.", "Validate the issuu_id input against a strict regex or known GUID format before passing to the library.", "Implement rate limiting or input size restrictions on the issuu_id parameter to prevent repeated ReDoS attempts."], "summary": {"action": "Upgrade", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of tarteaucitron.js older than version 1.29.0 from the AmauriC project. Any deployment using the library prior to 1.29.0 is susceptible to ReDoS when a malicious issuu_id is supplied.", "description_and_impact": "A Regular Expression Denial of Service (ReDoS) flaw was discovered in tarteaucitron.js that is triggered when processing the issuu_id parameter. The vulnerable regular expression can be fed a specially crafted value that causes the JavaScript engine to perform an exponential amount of work, leading to significant CPU usage and a potential denial of service for end users. The impact is limited to application availability; confidentiality and integrity are not directly affected.", "risk_and_exploitability": "The CVSS score of 4.4 classifies this flaw as low to moderate severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to provide a crafted issuu_id value, which could come from an attacker's controlled web page embedding the script or an injected request. The requirement for user-supplied input keeps the threat realistic in scenarios where the banner is exposed to untrusted input sources."}}}}, "created": "2026-01-14T11:08:29.047632+00:00", "updated": "2026-04-18T16:30:05.080494+00:00", "vendors": ["amauri", "amauri$PRODUCT$tarteaucitronjs"]}