A bug in our message parsing code can result in remote code execution.
Affected versions >=2.5.0 <2.8.7
We have resolved this in the latest version of NodeBB(2.8.7), and the fix has already been rolled out as a patch on all of our hosted customers.
The fix is included in the latest 2.8.7 release https://github.com/NodeBB/NodeBB/releases/tag/v2.8.7.
If you are not able to upgrade to the latest release, you can also cherry-pick or apply this commit manually https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092