Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Moderator role required (PR:L); no scope change as impact stays within the guild; no confidentiality or meaningful availability impact beyond notification spam.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the latest release suppresses mentions in several moderation commands, but /unban and /unwarn still echo user-controlled reason text in public bot messages without allowedMentions. A moderator can use @everyone or @here in the reason and make the bot send a mass ping. This issue has been patched in version 1.0.5.
AnalysisAI
Unsanitized reason text in Quest Bot's /unban and /unwarn Discord commands enables authenticated moderators to trigger mass pings against all server members. Versions prior to 1.0.5 of this open-source Discord moderation bot pass user-controlled reason strings directly into public bot messages without setting Discord's allowedMentions restriction, unlike other moderation commands that already suppress mention parsing. An attacker with moderator-level Discord permissions can embed @everyone or @here in any ban or warn reason to force mass notification delivery to all guild members. No active exploitation has been confirmed and no public exploit code has been identified at the time of analysis.
Technical ContextAI
Quest Bot (CPE: cpe:2.3:a:duck-organization:quest-bot:*:*:*:*:*:*:*:*) is a Node.js-based Discord bot using the Discord.js library. Discord's API supports an allowedMentions option on message sends that controls which mention types (@everyone, @here, role mentions, user mentions) are parsed and delivered as notifications. The root cause, CWE-116 (Improper Encoding or Escaping of Output), manifests here as inconsistent application of this output control: other moderation commands in the bot already pass allowedMentions restrictions, but the /unban and /unwarn handlers omit the field, allowing the Discord API to parse and deliver all mention types embedded in the reason string. This is a classic output-context encoding failure where user-controlled data is reflected into a notification-capable channel without neutralizing the relevant syntax.
RemediationAI
Vendor-released patch: Quest Bot v1.0.5. Upgrade to version 1.0.5 or later by pulling the latest release from https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.5, which resolves the missing allowedMentions configuration in the /unban and /unwarn handlers. For operators unable to upgrade immediately, the most effective compensating control is to restrict the Discord role permissions that grant access to /unban and /unwarn to only fully trusted administrators rather than broader moderator groups, thereby reducing the population of principals who can trigger the flaw. Disabling the /unban and /unwarn slash commands entirely in the Discord server configuration is a more disruptive but complete workaround until patching is feasible.
Mass mention abuse in Quest Bot (open-source Discord moderation/utility bot) before version 1.0.3 allows any normal Disc
Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission i
Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only
Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access
Unsanitized output in Quest Bot's ticket creation workflow allows any unprivileged Discord server member to inject @ever
Ticket transcript redirection in Quest Bot (prior to v1.0.4) allows a privileged user with bot settings access to config
Quest Bot, an open-source Discord moderation/utility bot, exposes private channel message contents to privileged users w
Quest Bot (Discord moderation bot) prior to v1.0.4 allows low-privileged moderators to leverage the bot's elevated Disco
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36278