NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write Vulnerability Severity High Date January 21, 2026 Affected Product NodeBB Plugin Emoji 3.2.1 CVE Identifier CVE-2021-47746 CWE Identifier CWE-73 External Control of File Name or Path CVSS Score 5.4/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N References ExploitDB-49813 Official NodeBB Homepage NodeBB Emoji Plugin GitHub Repository Credit 1F98D Description NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by manipulating the file path parameter.