{
  "threat_severity" : "Moderate",
  "public_date" : "2026-02-26T00:19:24Z",
  "bugzilla" : {
    "description" : "dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass",
    "id" : "2442905",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2442905"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-915",
  "details" : [ "Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.", "A flaw was found in dottie.js, a JavaScript library for nested object access and manipulation. An incomplete fix for a previous vulnerability allows a remote attacker to bypass prototype pollution protection by placing '__proto__' at any position other than the first in a dot-separated path. This vulnerability affects the `dottie.set()` and `dottie.transform()` functions. Successful exploitation can lead to unauthorized modification of object properties, potentially causing unexpected application behavior, information disclosure, or denial of service." ],
  "statement" : "This vulnerability is rated as Moderate by Red Hat. Successful exploitation requires user interaction, since the two vulnerable functions, `dottie.set()` and `dottie.transform()`, first need to be passed an accepted attacker-controlled input (ex. by parsing a query string). Furthermore, the result of a successful exploitation may result in limited and indirect leakage of sensitive data (largely dependent upon the context in which the application is used), limited integrity impact (since the attack does not allow for arbitrary memory or code overwriting), and limited availability impact potentially causing the application to crash (DoS).",
  "package_state" : [ {
    "product_name" : "Confidential Compute Attestation",
    "fix_state" : "Not affected",
    "package_name" : "openshift-sandboxed-containers/osc-pccs",
    "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "linux-sgx",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "linux-sgx",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "satellite/iop-remediations-rhel9",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-27837\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27837\nhttps://github.com/advisories/GHSA-4gxf-g5gf-22h4\nhttps://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14\nhttps://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w" ],
  "name" : "CVE-2026-27837",
  "csaw" : false
}