CVE-2026-9101
5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| MongoDB, Inc. | Compass | 1.36.3 | affected |
| MongoDB, Inc. | Compass | 1.36.4 | affected |
| MongoDB, Inc. | Compass | 1.37.0 | affected |
| MongoDB, Inc. | Compass | 1.38.0 | affected |
| MongoDB, Inc. | Compass | 1.38.1 | affected |
| MongoDB, Inc. | Compass | 1.38.2 | affected |
| MongoDB, Inc. | Compass | 1.39.0 | affected |
| MongoDB, Inc. | Compass | 1.39.1 | affected |
| MongoDB, Inc. | Compass | 1.39.2 | affected |
| MongoDB, Inc. | Compass | 1.39.3 | affected |
| MongoDB, Inc. | Compass | 1.39.4 | affected |
| MongoDB, Inc. | Compass | 1.40.0 | affected |
| MongoDB, Inc. | Compass | 1.40.1 | affected |
| MongoDB, Inc. | Compass | 1.40.2 | affected |
| MongoDB, Inc. | Compass | 1.40.3 | affected |
| MongoDB, Inc. | Compass | 1.40.4 | affected |
| MongoDB, Inc. | Compass | 1.41.0 | affected |
| MongoDB, Inc. | Compass | 1.42.0 | affected |
| MongoDB, Inc. | Compass | 1.42.1 | affected |
| MongoDB, Inc. | Compass | 1.42.2 | affected |
| MongoDB, Inc. | Compass | 1.42.3 | affected |
| MongoDB, Inc. | Compass | 1.42.5 | affected |
| MongoDB, Inc. | Compass | 1.43.0 | affected |
| MongoDB, Inc. | Compass | 1.43.1 | affected |
| MongoDB, Inc. | Compass | 1.43.2 | affected |
| MongoDB, Inc. | Compass | 1.43.3 | affected |
| MongoDB, Inc. | Compass | 1.43.4 | affected |
| MongoDB, Inc. | Compass | 1.43.5 | affected |
| MongoDB, Inc. | Compass | 1.43.6 | affected |
| MongoDB, Inc. | Compass | 1.44.0 | affected |
| MongoDB, Inc. | Compass | 1.44.3 | affected |
| MongoDB, Inc. | Compass | 1.44.4 | affected |
| MongoDB, Inc. | Compass | 1.44.5 | affected |
| MongoDB, Inc. | Compass | 1.44.6 | affected |
| MongoDB, Inc. | Compass | 1.44.7 | affected |
| MongoDB, Inc. | Compass | 1.45.0 | affected |
| MongoDB, Inc. | Compass | 1.45.1 | affected |
| MongoDB, Inc. | Compass | 1.45.2 | affected |
| MongoDB, Inc. | Compass | 1.45.3 | affected |
| MongoDB, Inc. | Compass | 1.45.4 | affected |
| MongoDB, Inc. | Compass | 1.46.0 | affected |
| MongoDB, Inc. | Compass | 1.46.1 | affected |
| MongoDB, Inc. | Compass | 1.46.2 | affected |
| MongoDB, Inc. | Compass | 1.46.3 | affected |
| MongoDB, Inc. | Compass | 1.46.4 | affected |
| MongoDB, Inc. | Compass | 1.46.5 | affected |
| MongoDB, Inc. | Compass | 1.46.6 | affected |
| MongoDB, Inc. | Compass | 1.46.7 | affected |
| MongoDB, Inc. | Compass | 1.46.8 | affected |
| MongoDB, Inc. | Compass | 1.46.9 | affected |
| MongoDB, Inc. | Compass | 1.46.10 | affected |
| MongoDB, Inc. | Compass | 1.46.11 | affected |
| MongoDB, Inc. | Compass | 1.47.0 | affected |
| MongoDB, Inc. | Compass | 1.47.1 | affected |
| MongoDB, Inc. | Compass | 1.48.0 | affected |
| MongoDB, Inc. | Compass | 1.48.1 | affected |
| MongoDB, Inc. | Compass | 1.48.2 | affected |
| MongoDB, Inc. | Compass | 1.49.0 | affected |
| MongoDB, Inc. | Compass | 1.49.1 | affected |
| MongoDB, Inc. | Compass | 1.49.2 | affected |
| MongoDB, Inc. | Compass | 1.49.3 | affected |
| MongoDB, Inc. | Compass | 1.49.4 | affected |
| MongoDB, Inc. | Compass | 1.49.5 | affected |
Weaknesses
- CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.