Skip to main content

Quest Bot CVE-2026-47171

| EUVDEUVD-2026-36299 HIGH
Improper Encoding or Escaping of Output (CWE-116)
2026-06-11 GitHub_M
8.8
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.0 MEDIUM

Attacker must be an authenticated Discord user with reminder access (PR:L), scope changes to the bot's privileged channel context (S:C), and impact is limited to integrity of channel messaging (I:L); no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:18 vuln.today

DescriptionCVE.org

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When the reminder triggers, the bot sends the stored message back into the channel without suppressing mass mentions. If the bot has permission to mention everyone, the reminder can ping the entire server or channel later. This issue has been patched in version 1.0.3.

AnalysisAI

Mass mention abuse in Quest Bot (open-source Discord moderation/utility bot) before version 1.0.3 allows any normal Discord user to schedule reminders containing @everyone or @here payloads that the bot later re-sends without mention suppression. Because the bot typically holds the Mention Everyone permission, the stored reminder text effectively grants unprivileged users the ability to ping an entire server or channel on demand. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the trivial reproduction path makes the abuse pattern likely once known.

Technical ContextAI

Quest Bot is a Discord application (cpe:2.3:a:duck-organization:quest-bot) that stores user-supplied reminder text and rebroadcasts it through the bot identity at a later time. The root cause is CWE-116 (Improper Encoding or Escaping of Output): the reminder dispatcher echoes attacker-controlled content into a privileged channel context without sanitizing Discord's mention tokens (@everyone, @here, role pings) or setting the API's allowed_mentions flag to suppress mass mentions. Discord treats these tokens as mentions only when the sending account carries the Mention Everyone permission, so the bot's elevated privileges become the exploitation primitive rather than any memory-corruption or auth flaw.

RemediationAI

Vendor-released patch: questbot-v1.0.3 - upgrade Quest Bot to 1.0.3 or later (release notes at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3, advisory at https://github.com/duck-organization/questbot/security/advisories/GHSA-vmgg-f3m4-6fcv). If immediate upgrade is not possible, revoke the bot's Mention Everyone permission in Discord server settings or per-channel overwrites, which fully neutralizes the abuse at the cost of breaking any legitimate announcement features the bot offers. As a narrower compensating control, restrict who can invoke the reminder command via Discord's command permissions or a role gate so untrusted members cannot schedule arbitrary reminder text; this preserves the feature but shifts trust to moderator roles.

Share

CVE-2026-47171 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy