Cyber Resilience

CVE-2021-47746

HighPublic PoC

Published: 21 January 2026

Published
21 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0066 46.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47746 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Nodebb (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 46.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-47746 is an arbitrary file write vulnerability in the NodeBB Plugin Emoji version 3.2.1. The flaw exists in the emoji upload API, where administrative users can manipulate the file path parameter to perform directory traversal, enabling them to write files to arbitrary system locations and overwrite critical system files.

Attackers with administrative access to a NodeBB instance using the vulnerable plugin can exploit this issue remotely over the network with low complexity. By crafting malicious file upload requests containing directory traversal sequences, they can achieve arbitrary file writes, potentially leading to full system compromise depending on the overwritten files and server permissions. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-73 (External Control of File Name or Path).

Advisories and related resources, including the plugin's GitHub repository (https://github.com/NodeBB/nodebb-plugin-emoji), NodeBB's site (https://nodebb.org/), an Exploit-DB entry (https://www.exploit-db.com/exploits/49813), and a VulnCheck advisory (https://www.vulncheck.com/advisories/nodebb-plugin-emoji-arbitrary-file-write), provide details on the issue; security practitioners should consult these for patch information and mitigation guidance, such as updating to a fixed plugin version.

A proof-of-concept exploit is publicly available on Exploit-DB, indicating potential for real-world abuse in environments with exposed admin interfaces.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite…

more

system files by manipulating the file path parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file write via directory traversal in web plugin directly enables web shell deployment (T1100) and privilege escalation to full compromise (T1068) by overwriting system files.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20931Shared CWE-73
CVE-2026-32204Shared CWE-73
CVE-2025-59291Shared CWE-73
CVE-2025-25761Shared CWE-73
CVE-2026-24287Shared CWE-73
CVE-2025-59292Shared CWE-73
CVE-2026-41088Shared CWE-73
CVE-2026-4132Shared CWE-73
CVE-2024-22341Shared CWE-73
CVE-2023-45588Shared CWE-73

Affected Assets

Nodebb
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the manipulated file path parameter in the emoji upload API to block directory traversal sequences and prevent arbitrary file writes.

prevent

Requires timely identification, reporting, and remediation of the specific flaw in NodeBB Plugin Emoji 3.2.1 via patching or upgrading the plugin.

prevent

Enforces least privilege on the application process or administrative accounts to restrict writes to arbitrary system locations even if traversal occurs.

References