Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable Discord command (AV:N), trivial whitespace payload (AC:L), requires moderator-level automod privileges (PR:L), no user interaction; impact is mass message deletion - high integrity and availability, no confidentiality loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6.
AnalysisAI
Improper input validation in Quest Bot (an open-source Discord bot) prior to version 1.1.6 lets a guild moderator weaponize the automod feature to delete every non-bot message in a server. By submitting whitespace-only input to the automod add command, the trimmed empty string is stored as a rule and the message listener's content.includes("") check evaluates true for all messages. No public exploit identified at time of analysis, though the trigger is trivial to reproduce by anyone with permission to configure automod rules.
Technical ContextAI
Quest Bot is a Node.js/JavaScript-based Discord bot maintained by the duck-organization GitHub project (CPE: cpe:2.3:a:duck-organization:questbot). The bug is a classic CWE-20 Improper Input Validation: the automod add handler calls String.prototype.trim() on user-supplied banned-word input but never verifies the result is non-empty before persisting it. Downstream, the message listener uses JavaScript's String.prototype.includes() to test whether each guild message contains any stored banned word; per ECMA-262, str.includes("") returns true for every string, so once an empty rule exists the listener flags and deletes every non-bot message regardless of content.
RemediationAI
Vendor-released patch: Quest Bot 1.1.6 - operators running the bot should pull and redeploy this release (see https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6 and advisory GHSA-fgwg-6px5-cxp5). If immediate upgrade is not possible, restrict who can invoke the automod add command by tightening Discord role permissions on the bot's configuration commands, and audit the currently configured automod word list to remove any empty or whitespace-only entries; the side effect is that automod rule management becomes limited to a smaller trusted group. As a last-resort containment step, disabling the automod module entirely or removing the bot from the guild will stop the mass-deletion behavior at the cost of losing automated moderation.
Discord role hierarchy bypass in Quest Bot (open-source Discord moderation bot) prior to version 1.1.6 allows moderators
Authorization bypass in Quest Bot Discord bot prior to version 1.1.6 lets low-privilege guild members invoke the purge a
Ticket panel resource exhaustion in Quest Bot (open-source Discord bot, all versions prior to 1.1.8) allows any Discord
Mention injection in Quest Bot prior to version 1.1.6 allows Discord server moderators to embed @everyone or @here mass-
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36412