Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible modal endpoint requires only Discord panel membership (PR:L); availability impact is Low and scope unchanged as exhaustion is confined to the bot's own channels and database.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8.
AnalysisAI
Ticket panel resource exhaustion in Quest Bot (open-source Discord bot, all versions prior to 1.1.8) allows any Discord user with panel access to flood a server with unlimited ticket channels and database records. Each modal submission unconditionally spawns a new Discord channel and database entry with no duplicate-ticket check and no rate limiting, enabling trivial availability denial of the ticketing system. No active exploitation (KEV) or public exploit code has been identified; vendor-released patch version 1.1.8 is confirmed available.
Technical ContextAI
Quest Bot (CPE: cpe:2.3:a:duck-organization:questbot:*:*:*:*:*:*:*:*) is an open-source Discord bot implementing a support-ticket workflow where Discord users submit modal forms that trigger channel creation and database record insertion. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling): the modal submission handler performs no idempotency check (does the user already have an open ticket?) and imposes no cooldown or submission-rate constraint. Every modal completion unconditionally executes both a Discord channel-creation API call and a database INSERT, meaning a single user can exhaust Discord's per-server channel cap and bloat the backing database without restriction. The affected component is the ticket modal submission path in all pre-1.1.8 releases.
RemediationAI
Upgrade Quest Bot to version 1.1.8, which introduces open-ticket deduplication checks and submission rate limiting on the ticket modal handler. The patched release is available at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.8. As a compensating control prior to patching, Discord server administrators should restrict ticket panel access to specific trusted roles via Discord permission settings, reducing the pool of users who can trigger modal submissions. Note that restricting panel access limits legitimate user self-service ticketing, which may be unacceptable for community support servers. No compensating control addresses the root cause - only the v1.1.8 patch resolves the missing idempotency and rate-limit logic.
Improper input validation in Quest Bot (an open-source Discord bot) prior to version 1.1.6 lets a guild moderator weapon
Discord role hierarchy bypass in Quest Bot (open-source Discord moderation bot) prior to version 1.1.6 allows moderators
Authorization bypass in Quest Bot Discord bot prior to version 1.1.6 lets low-privilege guild members invoke the purge a
Mention injection in Quest Bot prior to version 1.1.6 allows Discord server moderators to embed @everyone or @here mass-
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36416