Skip to main content

Quest Bot CVE-2026-47188

| EUVDEUVD-2026-36278 LOW
Improper Encoding or Escaping of Output (CWE-116)
2026-06-11 GitHub_M
2.3
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Moderator role required (PR:L); no scope change as impact stays within the guild; no confidentiality or meaningful availability impact beyond notification spam.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:29 vuln.today

DescriptionCVE.org

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the latest release suppresses mentions in several moderation commands, but /unban and /unwarn still echo user-controlled reason text in public bot messages without allowedMentions. A moderator can use @everyone or @here in the reason and make the bot send a mass ping. This issue has been patched in version 1.0.5.

AnalysisAI

Unsanitized reason text in Quest Bot's /unban and /unwarn Discord commands enables authenticated moderators to trigger mass pings against all server members. Versions prior to 1.0.5 of this open-source Discord moderation bot pass user-controlled reason strings directly into public bot messages without setting Discord's allowedMentions restriction, unlike other moderation commands that already suppress mention parsing. An attacker with moderator-level Discord permissions can embed @everyone or @here in any ban or warn reason to force mass notification delivery to all guild members. No active exploitation has been confirmed and no public exploit code has been identified at the time of analysis.

Technical ContextAI

Quest Bot (CPE: cpe:2.3:a:duck-organization:quest-bot:*:*:*:*:*:*:*:*) is a Node.js-based Discord bot using the Discord.js library. Discord's API supports an allowedMentions option on message sends that controls which mention types (@everyone, @here, role mentions, user mentions) are parsed and delivered as notifications. The root cause, CWE-116 (Improper Encoding or Escaping of Output), manifests here as inconsistent application of this output control: other moderation commands in the bot already pass allowedMentions restrictions, but the /unban and /unwarn handlers omit the field, allowing the Discord API to parse and deliver all mention types embedded in the reason string. This is a classic output-context encoding failure where user-controlled data is reflected into a notification-capable channel without neutralizing the relevant syntax.

RemediationAI

Vendor-released patch: Quest Bot v1.0.5. Upgrade to version 1.0.5 or later by pulling the latest release from https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.5, which resolves the missing allowedMentions configuration in the /unban and /unwarn handlers. For operators unable to upgrade immediately, the most effective compensating control is to restrict the Discord role permissions that grant access to /unban and /unwarn to only fully trusted administrators rather than broader moderator groups, thereby reducing the population of principals who can trigger the flaw. Disabling the /unban and /unwarn slash commands entirely in the Discord server configuration is a more disruptive but complete workaround until patching is feasible.

Share

CVE-2026-47188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy