Is Dottie affected by CVE-2026-27837?

Organizations using JavaScript. should be aware of moderate risk from CVE-2026-27837, a prototype pollution vulnerability rated CVSS 6.3. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available.

CVE-2026-27837

MEDIUM

2026-02-26 [email protected]

GHSA-r5mx-6wc6-7h9w

6.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 28, 2026 - 00:58 vuln.today

Public exploit code

Patch Released

Feb 28, 2026 - 00:58 nvd

Patch available

CVE Published

Feb 26, 2026 - 01:16 nvd

MEDIUM 6.3

Description

Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.

Analysis

Dottie versions 2.0.4 through 2.0.6 suffer from an incomplete prototype pollution fix that allows attackers to bypass validation by placing `__proto__` in non-first positions within dot-separated paths, affecting both `dottie.set()` and `dottie.transform()` functions. An attacker can exploit this to pollute object prototypes and achieve limited confidentiality, integrity, and availability impacts. …

Remediation

Within 30 days: Identify affected systems running JavaScript. and apply vendor patches as part of regular patch cycle. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +32

POC: +20

Vendor Status

CVE-2026-27837 vulnerability details – vuln.today

Back

CVE-2026-27837

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Share

CVE-2026-27837

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Share

External POC / Exploit Code