Skip to main content

Dottie

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-27837 npm MEDIUM POC PATCH This Month

Dottie versions 2.0.4 through 2.0.6 suffer from an incomplete prototype pollution fix that allows attackers to bypass validation by placing `__proto__` in non-first positions within dot-separated paths, affecting both `dottie.set()` and `dottie.transform()` functions. An attacker can exploit this to pollute object prototypes and achieve limited confidentiality, integrity, and availability impacts. Public exploit code exists and a patch is available in version 2.0.7.

Code Injection Dottie Red Hat
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-27837 npm
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

Dottie versions 2.0.4 through 2.0.6 suffer from an incomplete prototype pollution fix that allows attackers to bypass validation by placing `__proto__` in non-first positions within dot-separated paths, affecting both `dottie.set()` and `dottie.transform()` functions. An attacker can exploit this to pollute object prototypes and achieve limited confidentiality, integrity, and availability impacts. Public exploit code exists and a patch is available in version 2.0.7.

Code Injection Dottie Red Hat
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy