CVE-2021-47746
Published: 21 January 2026
Summary
CVE-2021-47746 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Nodebb (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 46.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-47746 is an arbitrary file write vulnerability in the NodeBB Plugin Emoji version 3.2.1. The flaw exists in the emoji upload API, where administrative users can manipulate the file path parameter to perform directory traversal, enabling them to write files to arbitrary system locations and overwrite critical system files.
Attackers with administrative access to a NodeBB instance using the vulnerable plugin can exploit this issue remotely over the network with low complexity. By crafting malicious file upload requests containing directory traversal sequences, they can achieve arbitrary file writes, potentially leading to full system compromise depending on the overwritten files and server permissions. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-73 (External Control of File Name or Path).
Advisories and related resources, including the plugin's GitHub repository (https://github.com/NodeBB/nodebb-plugin-emoji), NodeBB's site (https://nodebb.org/), an Exploit-DB entry (https://www.exploit-db.com/exploits/49813), and a VulnCheck advisory (https://www.vulncheck.com/advisories/nodebb-plugin-emoji-arbitrary-file-write), provide details on the issue; security practitioners should consult these for patch information and mitigation guidance, such as updating to a fixed plugin version.
A proof-of-concept exploit is publicly available on Exploit-DB, indicating potential for real-world abuse in environments with exposed admin interfaces.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3657
Vulnerability details
NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite…
more
system files by manipulating the file path parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file write via directory traversal in web plugin directly enables web shell deployment (T1100) and privilege escalation to full compromise (T1068) by overwriting system files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the manipulated file path parameter in the emoji upload API to block directory traversal sequences and prevent arbitrary file writes.
Requires timely identification, reporting, and remediation of the specific flaw in NodeBB Plugin Emoji 3.2.1 via patching or upgrading the plugin.
Enforces least privilege on the application process or administrative accounts to restrict writes to arbitrary system locations even if traversal occurs.