Skip to main content

Quest Bot EUVDEUVD-2026-36415

| CVE-2026-48485 LOW
Improper Encoding or Escaping of Output (CWE-116)
2026-06-12 GitHub_M
2.1
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.8 LOW

Moderator-level privileges required (PR:H); scope unchanged (S:U); only low integrity and availability disruption from mass pings; no confidentiality impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 14:01 EUVD
Analysis Generated
Jun 12, 2026 - 12:51 vuln.today

DescriptionCVE.org

Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6.

AnalysisAI

Mention injection in Quest Bot prior to version 1.1.6 allows Discord server moderators to embed @everyone or @here mass-ping triggers inside warning reasons, which are later replayed unsanitized when the /warns command outputs stored records. While the bot correctly suppresses Discord mentions during warning creation and several other moderation actions (unbanning, unwarning, kicking, muting, unmuting), the /warns display path lacks equivalent output encoding, creating an inconsistent trust boundary. The issue is patched in version 1.1.6 with no public exploit code identified at time of analysis.

Technical ContextAI

Quest Bot is an open-source Discord bot (CPE: cpe:2.3:a:duck-organization:questbot:*:*:*:*:*:*:*:*) that implements Discord moderation commands. Discord bots can trigger mass notifications by including @everyone or @here in message content - provided the bot has been granted the corresponding guild permissions. The root cause is CWE-116 (Improper Encoding or Escaping of Output): mention suppression is applied inconsistently across command handlers. Input-time suppression is implemented for creation and action commands, but the /warns output renderer does not re-encode or strip stored mention strings before relaying them to Discord, violating the principle that output sanitization must occur at every output point regardless of what was done at input time.

RemediationAI

Vendor-released patch: version 1.1.6. Bot operators should upgrade to questbot-v1.1.6 immediately, available at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6. As a compensating control prior to upgrading, server owners can revoke the bot's @everyone and @here Discord guild permissions, which prevents mass pings even if malicious warning reasons are stored - the trade-off is that any legitimate bot feature relying on those permissions will also be disabled. Alternatively, restricting warning creation to highly trusted moderators reduces the adversarial surface, though this does not eliminate the underlying encoding flaw. Audit existing stored warning reasons for embedded @everyone or @here strings and remove them before the next /warns invocation.

Share

EUVD-2026-36415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy