CVE-2026-27837

MediumPublic PoC

Published: 26 February 2026

Published

26 February 2026

Modified

28 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Score 0.0016 37.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27837 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Dottie Project Dottie. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the prototype pollution vulnerability by requiring timely patching to Dottie version 2.0.7 or later.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by validating dot-separated object paths to block '__proto__' in any position before processing with dottie.set() or dottie.transform().

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Identifies deployment of vulnerable Dottie versions 2.0.4-2.0.6 through vulnerability scanning, enabling remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1565.003 Runtime Data Manipulation Impact

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote exploitation of public-facing JavaScript applications via crafted input (T1190), facilitating prototype pollution that tampers with object prototypes for runtime data manipulation (T1565.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to…

bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.

Deeper analysisAI

CVE-2026-27837 is a prototype pollution vulnerability affecting the Dottie JavaScript library, which provides nested object access and manipulation capabilities. Versions 2.0.4 through 2.0.6 contain an incomplete fix for the prior CVE-2023-26132, where the prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path. This allows attackers to bypass the protection by placing "__proto__" at any position other than the first in the path. Both the dottie.set() and dottie.transform() functions are impacted, classified under CWE-1321 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

Remote attackers can exploit this vulnerability without privileges by crafting malicious input that requires user interaction, such as tricking a user into processing a specially formatted object path. Successful exploitation enables limited prototype pollution, potentially allowing low-level impacts on confidentiality, integrity, and availability by tampering with object prototypes in JavaScript applications that use the affected Dottie functions.

Advisories from GitHub, including GHSA-4gxf-g5gf-22h4 and GHSA-r5mx-6wc6-7h9w, along with commit 7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14, recommend upgrading to Dottie version 2.0.7, which includes an updated fix to properly validate all segments of dot-separated paths and address the residual vulnerability.

Details

CWE(s): CWE-1321

Affected Products

dottie project

dottie

2.0.4 — 2.0.7

CVEs Like This One

CVE-2026-23736Shared CWE-1321

CVE-2026-32621Shared CWE-1321

CVE-2026-29063Shared CWE-1321

CVE-2026-33994Shared CWE-1321

CVE-2025-61140Shared CWE-1321

CVE-2026-35209Shared CWE-1321

CVE-2026-24888Shared CWE-1321

CVE-2026-32878Shared CWE-1321

CVE-2024-38988Shared CWE-1321

CVE-2026-34221Shared CWE-1321

References

https://github.com/advisories/GHSA-4gxf-g5gf-22h4
Not Applicable · security-advisories@github.com
https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14
Patch · security-advisories@github.com
https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0