tarteaucitron.js allows prototype pollution via custom text injection
- Severity:
- Medium
Description
A vulnerability was identified in tarteaucitron.js, where the addOrUpdate function, used for applying custom texts, did not properly validate input.
Recommendation
Update the tarteaucitronjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.20.1
- Patched version(s): 1.20.1
References
Related Issues
- tarteaucitron.js allows url scheme injection via unfiltered inputs - CVE-2025-31476
- tarteaucitron.js allows UI manipulation via unrestricted CSS injection - CVE-2025-31138
- Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
- billboard.js allows prototype pollution via the function generate - CVE-2025-49223
- Tags:
- npm
- tarteaucitronjs
Anything's wrong? Let us know Last updated on April 07, 2025