Skip to main content

Quest Bot CVE-2026-47173

| EUVDEUVD-2026-36274 MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-06-11 GitHub_M
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

AC:H reflects that the bot must hold 'Mention Everyone' permission - a non-default server configuration outside attacker control; PR:N as any server member can submit tickets.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:27 vuln.today

DescriptionCVE.org

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions. If the bot has permission to use those mentions, the attacker can make the bot ping staff or everyone with access to the ticket channel. This issue has been patched in version 1.0.3.

AnalysisAI

Unsanitized output in Quest Bot's ticket creation workflow allows any unprivileged Discord server member to inject @everyone, @here, role mentions, or user mentions into ticket channel messages, causing the bot to trigger mass notifications. All Quest Bot versions prior to 1.0.3 are affected; the bot must hold Discord's 'Mention Everyone' permission for the attack to achieve its full impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Quest Bot is an open-source Discord moderation and support bot (CPE: cpe:2.3:a:duck-organization:quest-bot) that exposes a ticket-creation feature to server members. Discord's message API resolves special mention syntax (@everyone, @here, <@role_id>, <@user_id>) into live notifications when the sending bot token holds the 'Mention Everyone' or appropriate role-mention permission. The root cause is CWE-116 (Improper Encoding or Escaping of Output): the bot accepts free-text ticket reasons from users and relays them verbatim into the resulting ticket channel message without applying Discord's allowed_mentions suppression parameter or stripping mention syntax. A correct implementation would either sanitize user-supplied strings before embedding them in bot messages or set the allowed_mentions field to an empty whitelist, preventing Discord from resolving any mention tokens regardless of bot permissions.

RemediationAI

Upgrade Quest Bot to version 1.0.3, which resolves the output encoding flaw per the vendor security advisory GHSA-27xg-395c-xfcx (https://github.com/duck-organization/questbot/security/advisories/GHSA-27xg-395c-xfcx) and the tagged release at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3. If an immediate upgrade is not possible, revoke the bot's 'Mention Everyone' Discord permission in the server's role settings - this eliminates the exploit's impact entirely, at the cost of preventing any legitimate bot-initiated mass mentions. A secondary compensating control is to restrict ticket creation to trusted or verified roles rather than all server members, which reduces the attacker pool; however, this does not fix the underlying injection flaw and introduces friction for legitimate support workflows. Neither workaround addresses the root CWE-116 defect, so patching remains the definitive remediation.

Share

CVE-2026-47173 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy