Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects that the bot must hold 'Mention Everyone' permission - a non-default server configuration outside attacker control; PR:N as any server member can submit tickets.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions. If the bot has permission to use those mentions, the attacker can make the bot ping staff or everyone with access to the ticket channel. This issue has been patched in version 1.0.3.
AnalysisAI
Unsanitized output in Quest Bot's ticket creation workflow allows any unprivileged Discord server member to inject @everyone, @here, role mentions, or user mentions into ticket channel messages, causing the bot to trigger mass notifications. All Quest Bot versions prior to 1.0.3 are affected; the bot must hold Discord's 'Mention Everyone' permission for the attack to achieve its full impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Quest Bot is an open-source Discord moderation and support bot (CPE: cpe:2.3:a:duck-organization:quest-bot) that exposes a ticket-creation feature to server members. Discord's message API resolves special mention syntax (@everyone, @here, <@role_id>, <@user_id>) into live notifications when the sending bot token holds the 'Mention Everyone' or appropriate role-mention permission. The root cause is CWE-116 (Improper Encoding or Escaping of Output): the bot accepts free-text ticket reasons from users and relays them verbatim into the resulting ticket channel message without applying Discord's allowed_mentions suppression parameter or stripping mention syntax. A correct implementation would either sanitize user-supplied strings before embedding them in bot messages or set the allowed_mentions field to an empty whitelist, preventing Discord from resolving any mention tokens regardless of bot permissions.
RemediationAI
Upgrade Quest Bot to version 1.0.3, which resolves the output encoding flaw per the vendor security advisory GHSA-27xg-395c-xfcx (https://github.com/duck-organization/questbot/security/advisories/GHSA-27xg-395c-xfcx) and the tagged release at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3. If an immediate upgrade is not possible, revoke the bot's 'Mention Everyone' Discord permission in the server's role settings - this eliminates the exploit's impact entirely, at the cost of preventing any legitimate bot-initiated mass mentions. A secondary compensating control is to restrict ticket creation to trusted or verified roles rather than all server members, which reduces the attacker pool; however, this does not fix the underlying injection flaw and introduces friction for legitimate support workflows. Neither workaround addresses the root CWE-116 defect, so patching remains the definitive remediation.
Mass mention abuse in Quest Bot (open-source Discord moderation/utility bot) before version 1.0.3 allows any normal Disc
Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission i
Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only
Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access
Ticket transcript redirection in Quest Bot (prior to v1.0.4) allows a privileged user with bot settings access to config
Quest Bot, an open-source Discord moderation/utility bot, exposes private channel message contents to privileged users w
Quest Bot (Discord moderation bot) prior to v1.0.4 allows low-privileged moderators to leverage the bot's elevated Disco
Unsanitized reason text in Quest Bot's /unban and /unwarn Discord commands enables authenticated moderators to trigger m
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36274