Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker must be an authenticated Discord user with reminder access (PR:L), scope changes to the bot's privileged channel context (S:C), and impact is limited to integrity of channel messaging (I:L); no confidentiality or availability loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When the reminder triggers, the bot sends the stored message back into the channel without suppressing mass mentions. If the bot has permission to mention everyone, the reminder can ping the entire server or channel later. This issue has been patched in version 1.0.3.
AnalysisAI
Mass mention abuse in Quest Bot (open-source Discord moderation/utility bot) before version 1.0.3 allows any normal Discord user to schedule reminders containing @everyone or @here payloads that the bot later re-sends without mention suppression. Because the bot typically holds the Mention Everyone permission, the stored reminder text effectively grants unprivileged users the ability to ping an entire server or channel on demand. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the trivial reproduction path makes the abuse pattern likely once known.
Technical ContextAI
Quest Bot is a Discord application (cpe:2.3:a:duck-organization:quest-bot) that stores user-supplied reminder text and rebroadcasts it through the bot identity at a later time. The root cause is CWE-116 (Improper Encoding or Escaping of Output): the reminder dispatcher echoes attacker-controlled content into a privileged channel context without sanitizing Discord's mention tokens (@everyone, @here, role pings) or setting the API's allowed_mentions flag to suppress mass mentions. Discord treats these tokens as mentions only when the sending account carries the Mention Everyone permission, so the bot's elevated privileges become the exploitation primitive rather than any memory-corruption or auth flaw.
RemediationAI
Vendor-released patch: questbot-v1.0.3 - upgrade Quest Bot to 1.0.3 or later (release notes at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3, advisory at https://github.com/duck-organization/questbot/security/advisories/GHSA-vmgg-f3m4-6fcv). If immediate upgrade is not possible, revoke the bot's Mention Everyone permission in Discord server settings or per-channel overwrites, which fully neutralizes the abuse at the cost of breaking any legitimate announcement features the bot offers. As a narrower compensating control, restrict who can invoke the reminder command via Discord's command permissions or a role gate so untrusted members cannot schedule arbitrary reminder text; this preserves the feature but shifts trust to moderator roles.
Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission i
Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only
Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access
Unsanitized output in Quest Bot's ticket creation workflow allows any unprivileged Discord server member to inject @ever
Ticket transcript redirection in Quest Bot (prior to v1.0.4) allows a privileged user with bot settings access to config
Quest Bot, an open-source Discord moderation/utility bot, exposes private channel message contents to privileged users w
Quest Bot (Discord moderation bot) prior to v1.0.4 allows low-privileged moderators to leverage the bot's elevated Disco
Unsanitized reason text in Quest Bot's /unban and /unwarn Discord commands enables authenticated moderators to trigger m
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36299