Refine your search
1 vulnerability found for Compass by MongoDB, Inc.
CVE-2026-9101 (GCVE-0-2026-9101)
Vulnerability from cvelistv5
Published
2026-05-20 16:18
Modified
2026-05-27 13:10
Severity ?
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Summary
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MongoDB, Inc. | Compass |
Version: 1.36.3 Version: 1.36.4 Version: 1.37.0 Version: 1.38.0 Version: 1.38.1 Version: 1.38.2 Version: 1.39.0 Version: 1.39.1 Version: 1.39.2 Version: 1.39.3 Version: 1.39.4 Version: 1.40.0 Version: 1.40.1 Version: 1.40.2 Version: 1.40.3 Version: 1.40.4 Version: 1.41.0 Version: 1.42.0 Version: 1.42.1 Version: 1.42.2 Version: 1.42.3 Version: 1.42.5 Version: 1.43.0 Version: 1.43.1 Version: 1.43.2 Version: 1.43.3 Version: 1.43.4 Version: 1.43.5 Version: 1.43.6 Version: 1.44.0 Version: 1.44.3 Version: 1.44.4 Version: 1.44.5 Version: 1.44.6 Version: 1.44.7 Version: 1.45.0 Version: 1.45.1 Version: 1.45.2 Version: 1.45.3 Version: 1.45.4 Version: 1.46.0 Version: 1.46.1 Version: 1.46.2 Version: 1.46.3 Version: 1.46.4 Version: 1.46.5 Version: 1.46.6 Version: 1.46.7 Version: 1.46.8 Version: 1.46.9 Version: 1.46.10 Version: 1.46.11 Version: 1.47.0 Version: 1.47.1 Version: 1.48.0 Version: 1.48.1 Version: 1.48.2 Version: 1.49.0 Version: 1.49.1 Version: 1.49.2 Version: 1.49.3 Version: 1.49.4 Version: 1.49.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-23T03:55:43.091186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:10:03.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Compass",
"vendor": "MongoDB, Inc.",
"versions": [
{
"status": "affected",
"version": "1.36.3"
},
{
"status": "affected",
"version": "1.36.4"
},
{
"status": "affected",
"version": "1.37.0"
},
{
"status": "affected",
"version": "1.38.0"
},
{
"status": "affected",
"version": "1.38.1"
},
{
"status": "affected",
"version": "1.38.2"
},
{
"status": "affected",
"version": "1.39.0"
},
{
"status": "affected",
"version": "1.39.1"
},
{
"status": "affected",
"version": "1.39.2"
},
{
"status": "affected",
"version": "1.39.3"
},
{
"status": "affected",
"version": "1.39.4"
},
{
"status": "affected",
"version": "1.40.0"
},
{
"status": "affected",
"version": "1.40.1"
},
{
"status": "affected",
"version": "1.40.2"
},
{
"status": "affected",
"version": "1.40.3"
},
{
"status": "affected",
"version": "1.40.4"
},
{
"status": "affected",
"version": "1.41.0"
},
{
"status": "affected",
"version": "1.42.0"
},
{
"status": "affected",
"version": "1.42.1"
},
{
"status": "affected",
"version": "1.42.2"
},
{
"status": "affected",
"version": "1.42.3"
},
{
"status": "affected",
"version": "1.42.5"
},
{
"status": "affected",
"version": "1.43.0"
},
{
"status": "affected",
"version": "1.43.1"
},
{
"status": "affected",
"version": "1.43.2"
},
{
"status": "affected",
"version": "1.43.3"
},
{
"status": "affected",
"version": "1.43.4"
},
{
"status": "affected",
"version": "1.43.5"
},
{
"status": "affected",
"version": "1.43.6"
},
{
"status": "affected",
"version": "1.44.0"
},
{
"status": "affected",
"version": "1.44.3"
},
{
"status": "affected",
"version": "1.44.4"
},
{
"status": "affected",
"version": "1.44.5"
},
{
"status": "affected",
"version": "1.44.6"
},
{
"status": "affected",
"version": "1.44.7"
},
{
"status": "affected",
"version": "1.45.0"
},
{
"status": "affected",
"version": "1.45.1"
},
{
"status": "affected",
"version": "1.45.2"
},
{
"status": "affected",
"version": "1.45.3"
},
{
"status": "affected",
"version": "1.45.4"
},
{
"status": "affected",
"version": "1.46.0"
},
{
"status": "affected",
"version": "1.46.1"
},
{
"status": "affected",
"version": "1.46.2"
},
{
"status": "affected",
"version": "1.46.3"
},
{
"status": "affected",
"version": "1.46.4"
},
{
"status": "affected",
"version": "1.46.5"
},
{
"status": "affected",
"version": "1.46.6"
},
{
"status": "affected",
"version": "1.46.7"
},
{
"status": "affected",
"version": "1.46.8"
},
{
"status": "affected",
"version": "1.46.9"
},
{
"status": "affected",
"version": "1.46.10"
},
{
"status": "affected",
"version": "1.46.11"
},
{
"status": "affected",
"version": "1.47.0"
},
{
"status": "affected",
"version": "1.47.1"
},
{
"status": "affected",
"version": "1.48.0"
},
{
"status": "affected",
"version": "1.48.1"
},
{
"status": "affected",
"version": "1.48.2"
},
{
"status": "affected",
"version": "1.49.0"
},
{
"status": "affected",
"version": "1.49.1"
},
{
"status": "affected",
"version": "1.49.2"
},
{
"status": "affected",
"version": "1.49.3"
},
{
"status": "affected",
"version": "1.49.4"
},
{
"status": "affected",
"version": "1.49.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to \"1-click\" command execution."
}
],
"value": "Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to \"1-click\" command execution."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:18:10.689Z",
"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"shortName": "mongodb"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://jira.mongodb.org/browse/COMPASS-10657"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Prototype pollution in csv parsing",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
"assignerShortName": "mongodb",
"cveId": "CVE-2026-9101",
"datePublished": "2026-05-20T16:18:10.689Z",
"dateReserved": "2026-05-20T16:03:25.137Z",
"dateUpdated": "2026-05-27T13:10:03.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}