{“lastseen”:””,”description”:”Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to \\”1-click\\” command execution.”,”published”:”2026-05-20T16:18:10.689Z”,”modified”:”2026-05-20T16:18:10.689Z”,”type”:”cve”,”title”:”Prototype pollution in csv parsing”,”source”:”mongodb”,”references”:”https:\/\/jira.mongodb.org\/browse\/COMPASS-10657″,”id”:”CVE-2026-9101″,”bulletinFamily”:””,”cwe”:[“CWE-1321″],”cvelist”:null,”sourceData”:”MongoDB, Inc. Compass 1.36.3\\nMongoDB, Inc. Compass 1.36.4\\nMongoDB, Inc. Compass 1.37.0\\nMongoDB, Inc. Compass 1.38.0\\nMongoDB, Inc. Compass 1.38.1\\nMongoDB, Inc. Compass 1.38.2\\nMongoDB, Inc. Compass 1.39.0\\nMongoDB, Inc. Compass 1.39.1\\nMongoDB, Inc. Compass 1.39.2\\nMongoDB, Inc. Compass 1.39.3\\nMongoDB, Inc. Compass 1.39.4\\nMongoDB, Inc. Compass 1.40.0\\nMongoDB, Inc. Compass 1.40.1\\nMongoDB, Inc. Compass 1.40.2\\nMongoDB, Inc. Compass 1.40.3\\nMongoDB, Inc. Compass 1.40.4\\nMongoDB, Inc. Compass 1.41.0\\nMongoDB, Inc. Compass 1.42.0\\nMongoDB, Inc. Compass 1.42.1\\nMongoDB, Inc. Compass 1.42.2\\nMongoDB, Inc. Compass 1.42.3\\nMongoDB, Inc. Compass 1.42.5\\nMongoDB, Inc. Compass 1.43.0\\nMongoDB, Inc. Compass 1.43.1\\nMongoDB, Inc. Compass 1.43.2\\nMongoDB, Inc. Compass 1.43.3\\nMongoDB, Inc. Compass 1.43.4\\nMongoDB, Inc. Compass 1.43.5\\nMongoDB, Inc. Compass 1.43.6\\nMongoDB, Inc. Compass 1.44.0\\nMongoDB, Inc. Compass 1.44.3\\nMongoDB, Inc. Compass 1.44.4\\nMongoDB, Inc. Compass 1.44.5\\nMongoDB, Inc. Compass 1.44.6\\nMongoDB, Inc. Compass 1.44.7\\nMongoDB, Inc. Compass 1.45.0\\nMongoDB, Inc. Compass 1.45.1\\nMongoDB, Inc. Compass 1.45.2\\nMongoDB, Inc. Compass 1.45.3\\nMongoDB, Inc. Compass 1.45.4\\nMongoDB, Inc. Compass 1.46.0\\nMongoDB, Inc. Compass 1.46.1\\nMongoDB, Inc. Compass 1.46.2\\nMongoDB, Inc. Compass 1.46.3\\nMongoDB, Inc. Compass 1.46.4\\nMongoDB, Inc. Compass 1.46.5\\nMongoDB, Inc. Compass 1.46.6\\nMongoDB, Inc. Compass 1.46.7\\nMongoDB, Inc. Compass 1.46.8\\nMongoDB, Inc. Compass 1.46.9\\nMongoDB, Inc. Compass 1.46.10\\nMongoDB, Inc. Compass 1.46.11\\nMongoDB, Inc. Compass 1.47.0\\nMongoDB, Inc. Compass 1.47.1\\nMongoDB, Inc. Compass 1.48.0\\nMongoDB, Inc. Compass 1.48.1\\nMongoDB, Inc. Compass 1.48.2\\nMongoDB, Inc. Compass 1.49.0\\nMongoDB, Inc. Compass 1.49.1\\nMongoDB, Inc. Compass 1.49.2\\nMongoDB, Inc. Compass 1.49.3\\nMongoDB, Inc. Compass 1.49.4\\nMongoDB, Inc. Compass 1.49.5″,”sourceHref”:””,”cvss”:{“score”:5.3,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:P\/VC:N\/VI:L\/VA:N\/SC:N\/SI:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Compass”,”version”:”1.36.3″,”vendor”:”MongoDB, Inc.”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,22,12,21,13,7,11,5],"class_list":["post-55882","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-53","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n