CVE-2021-47746

HIGH

NodeBB Plugin Emoji 3.2.1 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47746. PoCs published by 1F98D.

AI-analyzed exploit summary This exploit leverages an arbitrary file write vulnerability in NodeBB Plugin Emoji <= v3.2.1 by abusing the emoji upload API with a directory traversal payload. It requires administrative access to upload a file (e.g., SSH authorized_keys) to an arbitrary location on the server.

Description

NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by manipulating the file path parameter.

Exploits (1)

exploitdb WORKING POC
by 1F98D · pythonwebappsmultiple
https://www.exploit-db.com/exploits/49813

This exploit leverages an arbitrary file write vulnerability in NodeBB Plugin Emoji <= v3.2.1 by abusing the emoji upload API with a directory traversal payload. It requires administrative access to upload a file (e.g., SSH authorized_keys) to an arbitrary location on the server.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: NodeBB Plugin Emoji <= v3.2.1
Auth required
Prerequisites: Administrative access to NodeBB · Network access to the target · Valid credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/49813
Various Sources product
https://nodebb.org/

Scores

CVSS v3 7.5
EPSS 0.0066
EPSS Percentile 46.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-73
Status published
Published Jan 21, 2026
Tracked Since Feb 18, 2026