Skip to main content

Quest Bot CVE-2026-47175

| EUVDEUVD-2026-36275 LOW
Improper Encoding or Escaping of Output (CWE-116)
2026-06-11 GitHub_M
2.3
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

AC:H reflects the dual prerequisite - bot must hold @everyone permission while the moderating user explicitly does not; PR:L requires a moderator account; no confidentiality or availability impact applies.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:27 vuln.today

DescriptionCVE.org

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to mention everyone can still make the bot send @everyone or @here if the bot has that permission. This issue has been patched in version 1.0.4.

AnalysisAI

Quest Bot (Discord moderation bot) prior to v1.0.4 allows low-privileged moderators to leverage the bot's elevated Discord mention permissions to send @everyone or @here notifications they are not themselves permitted to send. Moderation commands that echo user-supplied reason text in public channel replies do not suppress Discord's mention parser, creating a permission boundary bypass within the Discord API privilege model. No public exploit code exists and no active exploitation has been confirmed, though the conditions for abuse are operationally common in Discord servers where bots hold mention permissions above their moderating users.

Technical ContextAI

The root cause is CWE-116 (Improper Encoding or Escaping of Output). Discord's bot API supports an allowed_mentions parameter that explicitly controls whether @everyone, @here, and role/user mentions are parsed in a message payload. When a bot omits or misconfigures this parameter, Discord defaults to honoring all mentions present in the message text - using the bot's own permission set, not the invoking user's. Quest Bot's moderation commands (ban, warn, kick, etc.) construct reply strings that include the operator-supplied reason field verbatim, without sanitizing or neutralizing Discord mention tokens. The affected CPE is cpe:2.3:a:duck-organization:quest-bot:*:*:*:*:*:*:*:*, covering all versions prior to 1.0.4. The CVSS 4.0 vector AT:P reflects the prerequisite attack requirement that the bot holds @everyone or @here permission in the guild.

RemediationAI

Vendor-released patch: Quest Bot v1.0.4. Server operators running any prior version should update to v1.0.4 immediately, available at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4. The fix likely involves passing a restrictive allowed_mentions object (with parse set to an empty array or explicitly excluding everyone and roles) in all bot reply payloads that echo user-supplied text. As a compensating control prior to patching, Discord guild administrators can revoke the bot's @everyone and @here mention permission in Server Settings > Roles or channel overrides - this prevents the privilege bypass without disabling moderation functionality, though it may affect legitimate bot announcements. Alternatively, restricting the moderator role to trusted users limits the attack surface but does not eliminate the vulnerability.

Share

CVE-2026-47175 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy