CVE-2016-10546
Description
Arbitrary code injection in PouchDB map/reduce functions due to unsandboxed code execution engine, affecting versions < 6.0.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Arbitrary code injection in PouchDB map/reduce functions due to unsandboxed code execution engine, affecting versions < 6.0.5.
Vulnerability
An arbitrary code injection vulnerability exists in PouchDB versions prior to 6.0.5 [1][2]. The flaw resides in the map/reduce functions used in temporary views and design documents. The code execution engine for this branch is not properly sandboxed, allowing untrusted JavaScript input to execute arbitrary code [1].
Exploitation
An attacker must have the ability to create or modify design documents in a PouchDB instance, typically requiring authenticated access to the database or the ability to trigger temporary views. By injecting malicious JavaScript into the map or reduce function strings, the attacker can bypass intended sandboxing and execute arbitrary code in the context of the database process [1][2].
Impact
Successful exploitation allows the attacker to run arbitrary JavaScript as well as system commands, leading to full compromise of the confidentiality, integrity, and availability of the application and potentially the underlying server [1][2].
Mitigation
Update PouchDB to version 6.0.5 or later, where the code execution engine is properly sandboxed to prevent arbitrary code injection [2]. No known workarounds exist for earlier versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pouchdbnpm | < 6.0.5 | 6.0.5 |
Affected products
2- HackerOne/pouchdb node modulev5Range: <=6.0.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-cgqv-x5cx-xvqhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10546ghsaADVISORY
- nodesecurity.io/advisories/143mitrex_refsource_MISC
- www.npmjs.com/advisories/143ghsaWEB
News mentions
0No linked articles in our index yet.