CVE-2026-9101

Summary

Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.

Affected Software

VendorProductVersion RangeStatus
MongoDB, Inc.Compass1.36.3affected
MongoDB, Inc.Compass1.36.4affected
MongoDB, Inc.Compass1.37.0affected
MongoDB, Inc.Compass1.38.0affected
MongoDB, Inc.Compass1.38.1affected
MongoDB, Inc.Compass1.38.2affected
MongoDB, Inc.Compass1.39.0affected
MongoDB, Inc.Compass1.39.1affected
MongoDB, Inc.Compass1.39.2affected
MongoDB, Inc.Compass1.39.3affected
MongoDB, Inc.Compass1.39.4affected
MongoDB, Inc.Compass1.40.0affected
MongoDB, Inc.Compass1.40.1affected
MongoDB, Inc.Compass1.40.2affected
MongoDB, Inc.Compass1.40.3affected
MongoDB, Inc.Compass1.40.4affected
MongoDB, Inc.Compass1.41.0affected
MongoDB, Inc.Compass1.42.0affected
MongoDB, Inc.Compass1.42.1affected
MongoDB, Inc.Compass1.42.2affected
MongoDB, Inc.Compass1.42.3affected
MongoDB, Inc.Compass1.42.5affected
MongoDB, Inc.Compass1.43.0affected
MongoDB, Inc.Compass1.43.1affected
MongoDB, Inc.Compass1.43.2affected
MongoDB, Inc.Compass1.43.3affected
MongoDB, Inc.Compass1.43.4affected
MongoDB, Inc.Compass1.43.5affected
MongoDB, Inc.Compass1.43.6affected
MongoDB, Inc.Compass1.44.0affected
MongoDB, Inc.Compass1.44.3affected
MongoDB, Inc.Compass1.44.4affected
MongoDB, Inc.Compass1.44.5affected
MongoDB, Inc.Compass1.44.6affected
MongoDB, Inc.Compass1.44.7affected
MongoDB, Inc.Compass1.45.0affected
MongoDB, Inc.Compass1.45.1affected
MongoDB, Inc.Compass1.45.2affected
MongoDB, Inc.Compass1.45.3affected
MongoDB, Inc.Compass1.45.4affected
MongoDB, Inc.Compass1.46.0affected
MongoDB, Inc.Compass1.46.1affected
MongoDB, Inc.Compass1.46.2affected
MongoDB, Inc.Compass1.46.3affected
MongoDB, Inc.Compass1.46.4affected
MongoDB, Inc.Compass1.46.5affected
MongoDB, Inc.Compass1.46.6affected
MongoDB, Inc.Compass1.46.7affected
MongoDB, Inc.Compass1.46.8affected
MongoDB, Inc.Compass1.46.9affected
MongoDB, Inc.Compass1.46.10affected
MongoDB, Inc.Compass1.46.11affected
MongoDB, Inc.Compass1.47.0affected
MongoDB, Inc.Compass1.47.1affected
MongoDB, Inc.Compass1.48.0affected
MongoDB, Inc.Compass1.48.1affected
MongoDB, Inc.Compass1.48.2affected
MongoDB, Inc.Compass1.49.0affected
MongoDB, Inc.Compass1.49.1affected
MongoDB, Inc.Compass1.49.2affected
MongoDB, Inc.Compass1.49.3affected
MongoDB, Inc.Compass1.49.4affected
MongoDB, Inc.Compass1.49.5affected

Weaknesses

  • CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References