CVE-2016-10546
CRITICALPouchDB < 6.0.4 - Remote Code Execution via Map/Reduce Functions
Title source: llmDescription
An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/143
Scores
CVSS v3
9.8
EPSS
0.0261
EPSS Percentile
83.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (2)
npm/pouchdb
0 - 6.0.5npm
pouchdb/pouchdb
< 6.0.4
Published
May 31, 2018
Tracked Since
Feb 18, 2026