LiveActive security incident?Get immediate response
CVE Record

CVE-2016-10548: Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css.

Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css. This makes cross sites scripting (XSS) possible on the client and arbitrary code injection possible on the server and user input is passed to the `calc` function.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This vulnerability affects the reduce-css-calc Node module through version 1.2.4. Crafted CSS passed into its calc function can execute code. In a browser this may become XSS; on a server it may become arbitrary code injection. The business risk depends on whether user-controlled CSS reaches this library.

Executive priority

Treat this as high priority if the module runs on servers or processes user-supplied CSS. If use is only internal build-time CSS, urgency is lower but still requires dependency cleanup because the affected version is obsolete and code execution is the stated impact.

Technical view

CVE-2016-10548 is a CWE-94 code injection issue in reduce-css-calc <=1.2.4. The source bundle states crafted CSS can trigger arbitrary code execution when user input is passed to the calc function, with client-side XSS and server-side code injection implications. No CVSS score is provided.

Likely exposure

Exposure is likely in JavaScript applications that depend on reduce-css-calc <=1.2.4 and process user-controlled CSS values. Transitive dependency use matters, especially in CSS processing pipelines, theming features, or server-side rendering/build services that accept untrusted style input.

Exploitation context

The provided sources do not indicate CISA KEV listing or active exploitation. The vulnerability requires crafted CSS reaching the calc function. Server-side use is more serious because the stated impact includes arbitrary code injection, while browser-side use may create XSS.

Researcher notes

Evidence is limited to CVE metadata and the referenced public advisories. No CVSS vector, patch version, exploit-in-the-wild evidence, or detailed environmental prerequisites are provided in the bundle. Avoid asserting exploitability without confirming actual data flow into reduce-css-calc calc.

Mitigation direction

  • Inventory direct and transitive reduce-css-calc dependencies.
  • Remove or replace reduce-css-calc versions <=1.2.4.
  • Check vendor or package advisories for supported fixed versions.
  • Do not pass untrusted CSS into the calc function.
  • Prioritize server-side CSS processing paths first.

Validation and detection

  • Search dependency manifests and lockfiles for reduce-css-calc.
  • Confirm deployed artifacts do not include versions <=1.2.4.
  • Trace whether user-controlled CSS reaches calc processing.
  • Review browser-side uses for XSS exposure.
  • Review server-side uses for code injection exposure.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-94: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2016-10548 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
HackerOnereduce-css-calc node module<=1.2.4Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-94 · source CWE mapping

Improper Control of Generation of Code ('Code Injection')

Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.