Prototype pollution in csv parsing_CVE-2026-9101

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.

Basic Information

ID CVE-2026-9101

Source mongodb

Published May 20, 2026 at 16:18

Affected Product

Vendor MongoDB, Inc.

Product Compass

Version 1.36.3

Affected Versions MongoDB, Inc. Compass 1.36.3
MongoDB, Inc. Compass 1.36.4
MongoDB, Inc. Compass 1.37.0
MongoDB, Inc. Compass 1.38.0
MongoDB, Inc. Compass 1.38.1
MongoDB, Inc. Compass 1.38.2
MongoDB, Inc. Compass 1.39.0
MongoDB, Inc. Compass 1.39.1
MongoDB, Inc. Compass 1.39.2
MongoDB, Inc. Compass 1.39.3
MongoDB, Inc. Compass 1.39.4
MongoDB, Inc. Compass 1.40.0
MongoDB, Inc. Compass 1.40.1
MongoDB, Inc. Compass 1.40.2
MongoDB, Inc. Compass 1.40.3
MongoDB, Inc. Compass 1.40.4
MongoDB, Inc. Compass 1.41.0
MongoDB, Inc. Compass 1.42.0
MongoDB, Inc. Compass 1.42.1
MongoDB, Inc. Compass 1.42.2
MongoDB, Inc. Compass 1.42.3
MongoDB, Inc. Compass 1.42.5
MongoDB, Inc. Compass 1.43.0
MongoDB, Inc. Compass 1.43.1
MongoDB, Inc. Compass 1.43.2
MongoDB, Inc. Compass 1.43.3
MongoDB, Inc. Compass 1.43.4
MongoDB, Inc. Compass 1.43.5
MongoDB, Inc. Compass 1.43.6
MongoDB, Inc. Compass 1.44.0
MongoDB, Inc. Compass 1.44.3
MongoDB, Inc. Compass 1.44.4
MongoDB, Inc. Compass 1.44.5
MongoDB, Inc. Compass 1.44.6
MongoDB, Inc. Compass 1.44.7
MongoDB, Inc. Compass 1.45.0
MongoDB, Inc. Compass 1.45.1
MongoDB, Inc. Compass 1.45.2
MongoDB, Inc. Compass 1.45.3
MongoDB, Inc. Compass 1.45.4
MongoDB, Inc. Compass 1.46.0
MongoDB, Inc. Compass 1.46.1
MongoDB, Inc. Compass 1.46.2
MongoDB, Inc. Compass 1.46.3
MongoDB, Inc. Compass 1.46.4
MongoDB, Inc. Compass 1.46.5
MongoDB, Inc. Compass 1.46.6
MongoDB, Inc. Compass 1.46.7
MongoDB, Inc. Compass 1.46.8
MongoDB, Inc. Compass 1.46.9
MongoDB, Inc. Compass 1.46.10
MongoDB, Inc. Compass 1.46.11
MongoDB, Inc. Compass 1.47.0
MongoDB, Inc. Compass 1.47.1
MongoDB, Inc. Compass 1.48.0
MongoDB, Inc. Compass 1.48.1
MongoDB, Inc. Compass 1.48.2
MongoDB, Inc. Compass 1.49.0
MongoDB, Inc. Compass 1.49.1
MongoDB, Inc. Compass 1.49.2
MongoDB, Inc. Compass 1.49.3
MongoDB, Inc. Compass 1.49.4
MongoDB, Inc. Compass 1.49.5

CWE Classification

CWE-1321

References

jira.mongodb.org /browse/COMPASS-10657

{
    "lastseen": "",
    "description": "Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to \"1-click\" command execution.",
    "published": "2026-05-20T16:18:10.689Z",
    "modified": "2026-05-20T16:18:10.689Z",
    "type": "cve",
    "title": "Prototype pollution in csv parsing",
    "source": "mongodb",
    "references": "https://jira.mongodb.org/browse/COMPASS-10657",
    "id": "CVE-2026-9101",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1321"
    ],
    "cvelist": null,
    "sourceData": "MongoDB, Inc. Compass 1.36.3\nMongoDB, Inc. Compass 1.36.4\nMongoDB, Inc. Compass 1.37.0\nMongoDB, Inc. Compass 1.38.0\nMongoDB, Inc. Compass 1.38.1\nMongoDB, Inc. Compass 1.38.2\nMongoDB, Inc. Compass 1.39.0\nMongoDB, Inc. Compass 1.39.1\nMongoDB, Inc. Compass 1.39.2\nMongoDB, Inc. Compass 1.39.3\nMongoDB, Inc. Compass 1.39.4\nMongoDB, Inc. Compass 1.40.0\nMongoDB, Inc. Compass 1.40.1\nMongoDB, Inc. Compass 1.40.2\nMongoDB, Inc. Compass 1.40.3\nMongoDB, Inc. Compass 1.40.4\nMongoDB, Inc. Compass 1.41.0\nMongoDB, Inc. Compass 1.42.0\nMongoDB, Inc. Compass 1.42.1\nMongoDB, Inc. Compass 1.42.2\nMongoDB, Inc. Compass 1.42.3\nMongoDB, Inc. Compass 1.42.5\nMongoDB, Inc. Compass 1.43.0\nMongoDB, Inc. Compass 1.43.1\nMongoDB, Inc. Compass 1.43.2\nMongoDB, Inc. Compass 1.43.3\nMongoDB, Inc. Compass 1.43.4\nMongoDB, Inc. Compass 1.43.5\nMongoDB, Inc. Compass 1.43.6\nMongoDB, Inc. Compass 1.44.0\nMongoDB, Inc. Compass 1.44.3\nMongoDB, Inc. Compass 1.44.4\nMongoDB, Inc. Compass 1.44.5\nMongoDB, Inc. Compass 1.44.6\nMongoDB, Inc. Compass 1.44.7\nMongoDB, Inc. Compass 1.45.0\nMongoDB, Inc. Compass 1.45.1\nMongoDB, Inc. Compass 1.45.2\nMongoDB, Inc. Compass 1.45.3\nMongoDB, Inc. Compass 1.45.4\nMongoDB, Inc. Compass 1.46.0\nMongoDB, Inc. Compass 1.46.1\nMongoDB, Inc. Compass 1.46.2\nMongoDB, Inc. Compass 1.46.3\nMongoDB, Inc. Compass 1.46.4\nMongoDB, Inc. Compass 1.46.5\nMongoDB, Inc. Compass 1.46.6\nMongoDB, Inc. Compass 1.46.7\nMongoDB, Inc. Compass 1.46.8\nMongoDB, Inc. Compass 1.46.9\nMongoDB, Inc. Compass 1.46.10\nMongoDB, Inc. Compass 1.46.11\nMongoDB, Inc. Compass 1.47.0\nMongoDB, Inc. Compass 1.47.1\nMongoDB, Inc. Compass 1.48.0\nMongoDB, Inc. Compass 1.48.1\nMongoDB, Inc. Compass 1.48.2\nMongoDB, Inc. Compass 1.49.0\nMongoDB, Inc. Compass 1.49.1\nMongoDB, Inc. Compass 1.49.2\nMongoDB, Inc. Compass 1.49.3\nMongoDB, Inc. Compass 1.49.4\nMongoDB, Inc. Compass 1.49.5",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Compass",
    "version": "1.36.3",
    "vendor": "MongoDB, Inc.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}