CVE-2026-9101
MEDIUMMongoDB Compass - Prototype Pollution via CSV Import Leading to Command Execution
Title source: llmDescription
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.
References (1)
Core 1
Core References
Issue Tracking issue-tracking
https://jira.mongodb.org/browse/COMPASS-10657
Scores
CVSS v3
4.3
EPSS
0.0040
EPSS Percentile
31.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1321
Status
published
Products (50)
MongoDB, Inc./Compass
1.36.3
MongoDB, Inc./Compass
1.36.4
MongoDB, Inc./Compass
1.37.0
MongoDB, Inc./Compass
1.38.0
MongoDB, Inc./Compass
1.38.1
MongoDB, Inc./Compass
1.38.2
MongoDB, Inc./Compass
1.39.0
MongoDB, Inc./Compass
1.39.1
MongoDB, Inc./Compass
1.39.2
MongoDB, Inc./Compass
1.39.3
... and 40 more
Published
May 20, 2026
Tracked Since
May 20, 2026