Skip to main content

Quest Bot CVE-2026-47196

| EUVDEUVD-2026-36412 HIGH
Improper Input Validation (CWE-20)
2026-06-12 GitHub_M
8.4
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable Discord command (AV:N), trivial whitespace payload (AC:L), requires moderator-level automod privileges (PR:L), no user interaction; impact is mass message deletion - high integrity and availability, no confidentiality loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 14:01 EUVD
Analysis Generated
Jun 12, 2026 - 12:51 vuln.today

DescriptionCVE.org

Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6.

AnalysisAI

Improper input validation in Quest Bot (an open-source Discord bot) prior to version 1.1.6 lets a guild moderator weaponize the automod feature to delete every non-bot message in a server. By submitting whitespace-only input to the automod add command, the trimmed empty string is stored as a rule and the message listener's content.includes("") check evaluates true for all messages. No public exploit identified at time of analysis, though the trigger is trivial to reproduce by anyone with permission to configure automod rules.

Technical ContextAI

Quest Bot is a Node.js/JavaScript-based Discord bot maintained by the duck-organization GitHub project (CPE: cpe:2.3:a:duck-organization:questbot). The bug is a classic CWE-20 Improper Input Validation: the automod add handler calls String.prototype.trim() on user-supplied banned-word input but never verifies the result is non-empty before persisting it. Downstream, the message listener uses JavaScript's String.prototype.includes() to test whether each guild message contains any stored banned word; per ECMA-262, str.includes("") returns true for every string, so once an empty rule exists the listener flags and deletes every non-bot message regardless of content.

RemediationAI

Vendor-released patch: Quest Bot 1.1.6 - operators running the bot should pull and redeploy this release (see https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6 and advisory GHSA-fgwg-6px5-cxp5). If immediate upgrade is not possible, restrict who can invoke the automod add command by tightening Discord role permissions on the bot's configuration commands, and audit the currently configured automod word list to remove any empty or whitespace-only entries; the side effect is that automod rule management becomes limited to a smaller trusted group. As a last-resort containment step, disabling the automod module entirely or removing the bot from the guild will stop the mass-deletion behavior at the cost of losing automated moderation.

Share

CVE-2026-47196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy