CVE-2023-27837
published 2023-06-13CVE-2023-27837: TP-Link TL-WPA8630P (US)_ V2_ Version 171011 was discovered to contain a command injection vulnerability via the key parameter in the function sub_ 40A774.
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.41%
82.0th percentile
TP-Link TL-WPA8630P (US)_ V2_ Version 171011 was discovered to contain a command injection vulnerability via the key parameter in the function sub_ 40A774.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dottie_project | dottie | >= 2.0.4 < 2.0.7 | 2.0.7 |
| tp-link | tl-wpa8630p_firmware | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
ghsa·2026-02-26·CVSS 7.5
CVE-2026-27837 [HIGH] CWE-1321 dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
### Summary
dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first.
Both `dottie.set()` and `dottie.transform()` are affected.
### Details
The existing guard checks only `pieces[0] === '__proto__'`. When a path like `'a.__proto__.polluted'` is used, `pieces[0]` evaluates to `'a'`, not `'__proto__'`, so the guard is bypassed.
Inside the traversal loop, `current['__proto__'] = {}` triggers the `__proto__` setter, replacing the intermedi
GHSA
GHSA-mh62-pxjf-6mqw: TP-Link TL-WPA8630P (US)_ V2_ Version 171011 was discovered to contain a command injection vulnerability via the key parameter in the function sub_ 40
ghsa_unreviewed·2023-06-13
CVE-2023-27837 [CRITICAL] CWE-77 GHSA-mh62-pxjf-6mqw: TP-Link TL-WPA8630P (US)_ V2_ Version 171011 was discovered to contain a command injection vulnerability via the key parameter in the function sub_ 40
TP-Link TL-WPA8630P (US)_ V2_ Version 171011 was discovered to contain a command injection vulnerability via the key parameter in the function sub_ 40A774.
Red Hat
dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass
vendor_redhat·2026-02-26·CVSS 7.5
CVE-2026-27837 [HIGH] CWE-915 dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass
dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
A flaw was found in dottie.js, a JavaScript library for nested object access and manipulation. An incomplete fix for a previous vulnerability allows a remote attacker to bypass prototype pollution protectio
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-06-13
Published