CVE-2016-10546

CRITICAL

PouchDB < 6.0.4 - Remote Code Execution via Map/Reduce Functions

Title source: llm
STIX 2.1

Description

An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands.

References (1)

Core 1
Core References
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/143

Scores

CVSS v3 9.8
EPSS 0.0261
EPSS Percentile 83.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (2)
npm/pouchdb 0 - 6.0.5npm
pouchdb/pouchdb < 6.0.4
Published May 31, 2018
Tracked Since Feb 18, 2026