CVE-2021-47746

HIGH

NodeBB Plugin Emoji 3.2.1 - Path Traversal

Title source: llm

Description

NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by manipulating the file path parameter.

Exploits (1)

exploitdb WORKING POC

by 1F98D · pythonwebappsmultiple

https://www.exploit-db.com/exploits/49813

View Code ZIP pw:eip

References (4)

[Various Sources] https://github.com/NodeBB/nodebb-plugin-emoji

[Various Sources] https://nodebb.org/

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/49813

[Third Party Advisory] https://www.vulncheck.com/advisories/nodebb-plugin-emoji-arbitrary-file-write

Scores

CVSS v3 7.5

EPSS 0.0008

EPSS Percentile 23.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-73

Status published

Published Jan 21, 2026

Tracked Since Feb 18, 2026