Lucene search
+L

7 matches found

Github Security Blog
Github Security Blog
added 2026/02/26 7:54 p.m.15 views

dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()

Summary dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing proto at any position other than...

9.8CVSS5.6AI score0.00303EPSS
Exploits2References5Affected Software1
OSV
OSV
added 2026/02/26 7:54 p.m.7 views

GHSA-R5MX-6WC6-7H9W dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()

Summary dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing proto at any position other than...

6.3CVSS7.1AI score0.00303EPSS
Exploits2References5
vulnersOsv
vulnersOsv
added 2023/06/10 6:30 a.m.8 views

12g (=0.0.27), 402 (>=0.0.2 <=0.1.1) +1026 more potentially affected by CVE-2023-26132 +1 more via dottie (>=0.0.6-1 <=2.0.3)

dottie NPM version =0.0.6-1, =0.0.2, =1.16.1, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =0.0.1, =1.1.7, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.6 and more Source cves: CVE-2023-26132, CVE-2026-27837 Source advisory: OSV:GHSA-4GXF-G5GF-22H4...

9.8CVSS7.1AI score0.01062EPSS
Exploits3
Debian CVE
Debian CVE
added 2023/06/10 5:0 a.m.21 views

CVE-2023-26132

Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set function and the current variable in the /dottie.js file...

7.5CVSS7.4AI score0.01062EPSS
Exploits2
Vulnrichment
Vulnrichment
added 2023/06/10 5:0 a.m.8 views

CVE-2023-26132

Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set function and the current variable in the /dottie.js file...

7.5CVSS7.5AI score0.01062EPSS
Exploits2References3
Cvelist
Cvelist
added 2023/06/10 5:0 a.m.28 views

CVE-2023-26132

Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set function and the current variable in the /dottie.js file...

7.5CVSS7.6AI score0.01062EPSS
Exploits2References3
CVE
CVE
added 2023/06/10 5:0 a.m.65 views

CVE-2023-26132

CVE-2023-26132 affects the Node.js package dottie. Affected component: dottie.js (set() function) within the dottie package. Vulnerable versions: all before 2.0.4. Root cause: Prototype Pollution due to insufficient input validation in set(), enabling property injection via the current variable. ...

7.5CVSS7.3AI score0.01062EPSS
Exploits2References3Affected Software1
Rows per page
Query Builder