Search criteria
2 vulnerabilities found for Compass by MongoDB, Inc.
CVE-2026-9101 (GCVE-0-2026-9101)
Vulnerability from nvd – Published: 2026-05-20 16:18 – Updated: 2026-05-23 03:55
VLAI
Title
Prototype pollution in csv parsing
Summary
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.
Severity
4.3 (Medium)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jira.mongodb.org/browse/COMPASS-10657 | issue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MongoDB, Inc. | Compass |
Affected:
1.36.3
Affected: 1.36.4 Affected: 1.37.0 Affected: 1.38.0 Affected: 1.38.1 Affected: 1.38.2 Affected: 1.39.0 Affected: 1.39.1 Affected: 1.39.2 Affected: 1.39.3 Affected: 1.39.4 Affected: 1.40.0 Affected: 1.40.1 Affected: 1.40.2 Affected: 1.40.3 Affected: 1.40.4 Affected: 1.41.0 Affected: 1.42.0 Affected: 1.42.1 Affected: 1.42.2 Affected: 1.42.3 Affected: 1.42.5 Affected: 1.43.0 Affected: 1.43.1 Affected: 1.43.2 Affected: 1.43.3 Affected: 1.43.4 Affected: 1.43.5 Affected: 1.43.6 Affected: 1.44.0 Affected: 1.44.3 Affected: 1.44.4 Affected: 1.44.5 Affected: 1.44.6 Affected: 1.44.7 Affected: 1.45.0 Affected: 1.45.1 Affected: 1.45.2 Affected: 1.45.3 Affected: 1.45.4 Affected: 1.46.0 Affected: 1.46.1 Affected: 1.46.2 Affected: 1.46.3 Affected: 1.46.4 Affected: 1.46.5 Affected: 1.46.6 Affected: 1.46.7 Affected: 1.46.8 Affected: 1.46.9 Affected: 1.46.10 Affected: 1.46.11 Affected: 1.47.0 Affected: 1.47.1 Affected: 1.48.0 Affected: 1.48.1 Affected: 1.48.2 Affected: 1.49.0 Affected: 1.49.1 Affected: 1.49.2 Affected: 1.49.3 Affected: 1.49.4 Affected: 1.49.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:41.949Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Compass",
"vendor": "MongoDB, Inc.",
"versions": [
{
"status": "affected",
"version": "1.36.3"
},
{
"status": "affected",
"version": "1.36.4"
},
{
"status": "affected",
"version": "1.37.0"
},
{
"status": "affected",
"version": "1.38.0"
},
{
"status": "affected",
"version": "1.38.1"
},
{
"status": "affected",
"version": "1.38.2"
},
{
"status": "affected",
"version": "1.39.0"
},
{
"status": "affected",
"version": "1.39.1"
},
{
"status": "affected",
"version": "1.39.2"
},
{
"status": "affected",
"version": "1.39.3"
},
{
"status": "affected",
"version": "1.39.4"
},
{
"status": "affected",
"version": "1.40.0"
},
{
"status": "affected",
"version": "1.40.1"
},
{
"status": "affected",
"version": "1.40.2"
},
{
"status": "affected",
"version": "1.40.3"
},
{
"status": "affected",
"version": "1.40.4"
},
{
"status": "affected",
"version": "1.41.0"
},
{
"status": "affected",
"version": "1.42.0"
},
{
"status": "affected",
"version": "1.42.1"
},
{
"status": "affected",
"version": "1.42.2"
},
{
"status": "affected",
"version": "1.42.3"
},
{
"status": "affected",
"version": "1.42.5"
},
{
"status": "affected",
"version": "1.43.0"
},
{
"status": "affected",
"version": "1.43.1"
},
{
"status": "affected",
"version": "1.43.2"
},
{
"status": "affected",
"version": "1.43.3"
},
{
"status": "affected",
"version": "1.43.4"
},
{
"status": "affected",
"version": "1.43.5"
},
{
"status": "affected",
"version": "1.43.6"
},
{
"status": "affected",
"version": "1.44.0"
},
{
"status": "affected",
"version": "1.44.3"
},
{
"status": "affected",
"version": "1.44.4"
},
{
"status": "affected",
"version": "1.44.5"
},
{
"status": "affected",
"version": "1.44.6"
},
{
"status": "affected",
"version": "1.44.7"
},
{
"status": "affected",
"version": "1.45.0"
},
{
"status": "affected",
"version": "1.45.1"
},
{
"status": "affected",
"version": "1.45.2"
},
{
"status": "affected",
"version": "1.45.3"
},
{
"status": "affected",
"version": "1.45.4"
},
{
"status": "affected",
"version": "1.46.0"
},
{
"status": "affected",
"version": "1.46.1"
},
{
"status": "affected",
"version": "1.46.2"
},
{
"status": "affected",
"version": "1.46.3"
},
{
"status": "affected",
"version": "1.46.4"
},
{
"status": "affected",
"version": "1.46.5"
},
{
"status": "affected",
"version": "1.46.6"
},
{
"status": "affected",
"version": "1.46.7"
},
{
"status": "affected",
"version": "1.46.8"
},
{
"status": "affected",
"version": "1.46.9"
},
{
"status": "affected",
"version": "1.46.10"
},
{
"status": "affected",
"version": "1.46.11"
},
{
"status": "affected",
"version": "1.47.0"
},
{
"status": "affected",
"version": "1.47.1"
},
{
"status": "affected",
"version": "1.48.0"
},
{
"status": "affected",
"version": "1.48.1"
},
{
"status": "affected",
"version": "1.48.2"
},
{
"status": "affected",
"version": "1.49.0"
},
{
"status": "affected",
"version": "1.49.1"
},
{
"status": "affected",
"version": "1.49.2"
},
{
"status": "affected",
"version": "1.49.3"
},
{
"status": "affected",
"version": "1.49.4"
},
{
"status": "affected",
"version": "1.49.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to \"1-click\" command execution."
}
],
"value": "Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to \"1-click\" command execution."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:18:10.689Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://jira.mongodb.org/browse/COMPASS-10657"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Prototype pollution in csv parsing",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2026-9101",
"datePublished": "2026-05-20T16:18:10.689Z",
"dateReserved": "2026-05-20T16:03:25.137Z",
"dateUpdated": "2026-05-23T03:55:41.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9101 (GCVE-0-2026-9101)
Vulnerability from cvelistv5 – Published: 2026-05-20 16:18 – Updated: 2026-05-23 03:55
VLAI
Title
Prototype pollution in csv parsing
Summary
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.
Severity
4.3 (Medium)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jira.mongodb.org/browse/COMPASS-10657 | issue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MongoDB, Inc. | Compass |
Affected:
1.36.3
Affected: 1.36.4 Affected: 1.37.0 Affected: 1.38.0 Affected: 1.38.1 Affected: 1.38.2 Affected: 1.39.0 Affected: 1.39.1 Affected: 1.39.2 Affected: 1.39.3 Affected: 1.39.4 Affected: 1.40.0 Affected: 1.40.1 Affected: 1.40.2 Affected: 1.40.3 Affected: 1.40.4 Affected: 1.41.0 Affected: 1.42.0 Affected: 1.42.1 Affected: 1.42.2 Affected: 1.42.3 Affected: 1.42.5 Affected: 1.43.0 Affected: 1.43.1 Affected: 1.43.2 Affected: 1.43.3 Affected: 1.43.4 Affected: 1.43.5 Affected: 1.43.6 Affected: 1.44.0 Affected: 1.44.3 Affected: 1.44.4 Affected: 1.44.5 Affected: 1.44.6 Affected: 1.44.7 Affected: 1.45.0 Affected: 1.45.1 Affected: 1.45.2 Affected: 1.45.3 Affected: 1.45.4 Affected: 1.46.0 Affected: 1.46.1 Affected: 1.46.2 Affected: 1.46.3 Affected: 1.46.4 Affected: 1.46.5 Affected: 1.46.6 Affected: 1.46.7 Affected: 1.46.8 Affected: 1.46.9 Affected: 1.46.10 Affected: 1.46.11 Affected: 1.47.0 Affected: 1.47.1 Affected: 1.48.0 Affected: 1.48.1 Affected: 1.48.2 Affected: 1.49.0 Affected: 1.49.1 Affected: 1.49.2 Affected: 1.49.3 Affected: 1.49.4 Affected: 1.49.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:41.949Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Compass",
"vendor": "MongoDB, Inc.",
"versions": [
{
"status": "affected",
"version": "1.36.3"
},
{
"status": "affected",
"version": "1.36.4"
},
{
"status": "affected",
"version": "1.37.0"
},
{
"status": "affected",
"version": "1.38.0"
},
{
"status": "affected",
"version": "1.38.1"
},
{
"status": "affected",
"version": "1.38.2"
},
{
"status": "affected",
"version": "1.39.0"
},
{
"status": "affected",
"version": "1.39.1"
},
{
"status": "affected",
"version": "1.39.2"
},
{
"status": "affected",
"version": "1.39.3"
},
{
"status": "affected",
"version": "1.39.4"
},
{
"status": "affected",
"version": "1.40.0"
},
{
"status": "affected",
"version": "1.40.1"
},
{
"status": "affected",
"version": "1.40.2"
},
{
"status": "affected",
"version": "1.40.3"
},
{
"status": "affected",
"version": "1.40.4"
},
{
"status": "affected",
"version": "1.41.0"
},
{
"status": "affected",
"version": "1.42.0"
},
{
"status": "affected",
"version": "1.42.1"
},
{
"status": "affected",
"version": "1.42.2"
},
{
"status": "affected",
"version": "1.42.3"
},
{
"status": "affected",
"version": "1.42.5"
},
{
"status": "affected",
"version": "1.43.0"
},
{
"status": "affected",
"version": "1.43.1"
},
{
"status": "affected",
"version": "1.43.2"
},
{
"status": "affected",
"version": "1.43.3"
},
{
"status": "affected",
"version": "1.43.4"
},
{
"status": "affected",
"version": "1.43.5"
},
{
"status": "affected",
"version": "1.43.6"
},
{
"status": "affected",
"version": "1.44.0"
},
{
"status": "affected",
"version": "1.44.3"
},
{
"status": "affected",
"version": "1.44.4"
},
{
"status": "affected",
"version": "1.44.5"
},
{
"status": "affected",
"version": "1.44.6"
},
{
"status": "affected",
"version": "1.44.7"
},
{
"status": "affected",
"version": "1.45.0"
},
{
"status": "affected",
"version": "1.45.1"
},
{
"status": "affected",
"version": "1.45.2"
},
{
"status": "affected",
"version": "1.45.3"
},
{
"status": "affected",
"version": "1.45.4"
},
{
"status": "affected",
"version": "1.46.0"
},
{
"status": "affected",
"version": "1.46.1"
},
{
"status": "affected",
"version": "1.46.2"
},
{
"status": "affected",
"version": "1.46.3"
},
{
"status": "affected",
"version": "1.46.4"
},
{
"status": "affected",
"version": "1.46.5"
},
{
"status": "affected",
"version": "1.46.6"
},
{
"status": "affected",
"version": "1.46.7"
},
{
"status": "affected",
"version": "1.46.8"
},
{
"status": "affected",
"version": "1.46.9"
},
{
"status": "affected",
"version": "1.46.10"
},
{
"status": "affected",
"version": "1.46.11"
},
{
"status": "affected",
"version": "1.47.0"
},
{
"status": "affected",
"version": "1.47.1"
},
{
"status": "affected",
"version": "1.48.0"
},
{
"status": "affected",
"version": "1.48.1"
},
{
"status": "affected",
"version": "1.48.2"
},
{
"status": "affected",
"version": "1.49.0"
},
{
"status": "affected",
"version": "1.49.1"
},
{
"status": "affected",
"version": "1.49.2"
},
{
"status": "affected",
"version": "1.49.3"
},
{
"status": "affected",
"version": "1.49.4"
},
{
"status": "affected",
"version": "1.49.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to \"1-click\" command execution."
}
],
"value": "Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to \"1-click\" command execution."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:18:10.689Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://jira.mongodb.org/browse/COMPASS-10657"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Prototype pollution in csv parsing",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2026-9101",
"datePublished": "2026-05-20T16:18:10.689Z",
"dateReserved": "2026-05-20T16:03:25.137Z",
"dateUpdated": "2026-05-23T03:55:41.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}