Description

Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.

INFO

Published Date :

2026-02-26T00:19:24.289Z

Last Modified :

2026-02-26T14:40:07.451Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27837 vulnerability.

Vendors Products
Dottie Project
  • Dottie
Mickhansen
  • Dottie.js
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27837.

URL Resource
https://github.com/advisories/GHSA-4gxf-g5gf-22h4 cve-icon cve-icon cve-icon
https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14 cve-icon cve-icon cve-icon
https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-27837 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-27837 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact