CVE-2026-9101— Prototype pollution in csv parsing

CVSS 4.3 · Medium EPSS 0.01% · P2 Updated May 23, 2026

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 63

Vendor	Product	Version Range	Status
MongoDB, Inc.	Compass	`1.36.3`	affected
		`1.36.4`	affected
		`1.37.0`	affected
		`1.38.0`	affected
		`1.38.1`	affected
		`1.38.2`	affected
		`1.39.0`	affected
		`1.39.1`	affected
… +55 more rows

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-9101

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Prototype pollution in csv parsing

Source: NVD (National Vulnerability Database)

Vulnerability Description

Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

CWE-1321

Source: NVD (National Vulnerability Database)

Vulnerability Title

MongoDB Compass 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

MongoDB Compass是美国MongoDB公司的一个免费的交互式工具。用于查询、优化和分析 MongoDB 数据。 MongoDB Compass存在安全漏洞，该漏洞源于原型污染，可能导致特定用户行为后进入shell.openExternal的不受信任文件路径，进而导致一键命令执行。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
MongoDB, Inc.	Compass	1.36.3	-

II. Public POCs for CVE-2026-9101

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-9101

请登录查看更多情报信息。

Vendor Advisories for CVE-2026-9101 (1)

[COMPASS-10657] Prototype pollution in csv import - MongoDB Jiraissue-tracking

https://nvd.nist.gov/vuln/detail/CVE-2026-9101

IV. Related Vulnerabilities

Same product: Compass

Same vendor: MongoDB, Inc.

Same weakness: CWE-1321

V. Comments for CVE-2026-9101

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-9101— Prototype pollution in csv parsing

Possible ATT&CK Techniques 1AI

Affected Version Matrix 63

I. Basic Information for CVE-2026-9101

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-9101

III. Intelligence Information for CVE-2026-9101

Vendor Advisories for CVE-2026-9101 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-9101

Leave a comment