Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Moderator-level privileges required (PR:H); scope unchanged (S:U); only low integrity and availability disruption from mass pings; no confidentiality impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6.
AnalysisAI
Mention injection in Quest Bot prior to version 1.1.6 allows Discord server moderators to embed @everyone or @here mass-ping triggers inside warning reasons, which are later replayed unsanitized when the /warns command outputs stored records. While the bot correctly suppresses Discord mentions during warning creation and several other moderation actions (unbanning, unwarning, kicking, muting, unmuting), the /warns display path lacks equivalent output encoding, creating an inconsistent trust boundary. The issue is patched in version 1.1.6 with no public exploit code identified at time of analysis.
Technical ContextAI
Quest Bot is an open-source Discord bot (CPE: cpe:2.3:a:duck-organization:questbot:*:*:*:*:*:*:*:*) that implements Discord moderation commands. Discord bots can trigger mass notifications by including @everyone or @here in message content - provided the bot has been granted the corresponding guild permissions. The root cause is CWE-116 (Improper Encoding or Escaping of Output): mention suppression is applied inconsistently across command handlers. Input-time suppression is implemented for creation and action commands, but the /warns output renderer does not re-encode or strip stored mention strings before relaying them to Discord, violating the principle that output sanitization must occur at every output point regardless of what was done at input time.
RemediationAI
Vendor-released patch: version 1.1.6. Bot operators should upgrade to questbot-v1.1.6 immediately, available at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6. As a compensating control prior to upgrading, server owners can revoke the bot's @everyone and @here Discord guild permissions, which prevents mass pings even if malicious warning reasons are stored - the trade-off is that any legitimate bot feature relying on those permissions will also be disabled. Alternatively, restricting warning creation to highly trusted moderators reduces the adversarial surface, though this does not eliminate the underlying encoding flaw. Audit existing stored warning reasons for embedded @everyone or @here strings and remove them before the next /warns invocation.
Improper input validation in Quest Bot (an open-source Discord bot) prior to version 1.1.6 lets a guild moderator weapon
Discord role hierarchy bypass in Quest Bot (open-source Discord moderation bot) prior to version 1.1.6 allows moderators
Authorization bypass in Quest Bot Discord bot prior to version 1.1.6 lets low-privilege guild members invoke the purge a
Ticket panel resource exhaustion in Quest Bot (open-source Discord bot, all versions prior to 1.1.8) allows any Discord
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36415