Skip to main content

Quest Bot

9 CVEs product

Monthly

CVE-2026-47189 HIGH PATCH This Week

Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission in any guild delete AutoMod rules belonging to other guilds. The flaw stems from looking up rules by global database ID without verifying guild ownership, and rule IDs are discoverable via the bot's autocomplete feature. No public exploit identified at time of analysis, but the GitHub Security Advisory and patched release v1.0.5 are public.

Authentication Bypass Quest Bot
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-47188 LOW PATCH Monitor

Unsanitized reason text in Quest Bot's /unban and /unwarn Discord commands enables authenticated moderators to trigger mass pings against all server members. Versions prior to 1.0.5 of this open-source Discord moderation bot pass user-controlled reason strings directly into public bot messages without setting Discord's allowedMentions restriction, unlike other moderation commands that already suppress mention parsing. An attacker with moderator-level Discord permissions can embed @everyone or @here in any ban or warn reason to force mass notification delivery to all guild members. No active exploitation has been confirmed and no public exploit code has been identified at the time of analysis.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-47177 MEDIUM PATCH This Month

Ticket transcript redirection in Quest Bot (prior to v1.0.4) allows a privileged user with bot settings access to configure the closed-ticket transcript destination to any channel they can read, exposing full private ticket histories to unauthorized parties. The bot fails to enforce parity between the access controls of the original ticket channel and the transcript destination, breaking the confidentiality boundary of the ticketing system. No public exploit code exists and no KEV listing applies; the CVSS 4.0 score of 5.7 reflects the high privilege requirement and passive user interaction needed to trigger exposure.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-47176 MEDIUM PATCH This Month

Quest Bot, an open-source Discord moderation/utility bot, exposes private channel message contents to privileged users who should not have access to them. A user holding bot configuration privileges can enable the logging feature and direct logs to a channel they control, causing the bot to forward deleted and edited message content from all channels it can observe - including private channels the configuring user is explicitly excluded from reading. No public exploit has been identified at time of analysis, and a patch was released in version 1.0.4.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-47175 LOW PATCH Monitor

Quest Bot (Discord moderation bot) prior to v1.0.4 allows low-privileged moderators to leverage the bot's elevated Discord mention permissions to send @everyone or @here notifications they are not themselves permitted to send. Moderation commands that echo user-supplied reason text in public channel replies do not suppress Discord's mention parser, creating a permission boundary bypass within the Discord API privilege model. No public exploit code exists and no active exploitation has been confirmed, though the conditions for abuse are operationally common in Discord servers where bots hold mention permissions above their moderating users.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-47173 MEDIUM PATCH This Month

Unsanitized output in Quest Bot's ticket creation workflow allows any unprivileged Discord server member to inject @everyone, @here, role mentions, or user mentions into ticket channel messages, causing the bot to trigger mass notifications. All Quest Bot versions prior to 1.0.3 are affected; the bot must hold Discord's 'Mention Everyone' permission for the attack to achieve its full impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-47171 HIGH PATCH This Week

Mass mention abuse in Quest Bot (open-source Discord moderation/utility bot) before version 1.0.3 allows any normal Discord user to schedule reminders containing @everyone or @here payloads that the bot later re-sends without mention suppression. Because the bot typically holds the Mention Everyone permission, the stored reminder text effectively grants unprivileged users the ability to ping an entire server or channel on demand. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the trivial reproduction path makes the abuse pattern likely once known.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-47163 HIGH PATCH This Week

Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access to invoke moderator-only /automod add, /automod remove, and /automod list commands due to missing Discord default permission requirements and absent runtime permission checks. Exploitation enables a low-privileged member to register automod rules matching common text patterns, causing the bot to delete other users' legitimate messages. No public exploit identified at time of analysis, but the trivial nature of the abuse and public advisory increase likelihood of weaponization in active Discord servers.

Authentication Bypass Quest Bot
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-47169 HIGH PATCH This Week

Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only the Manage Server (ManageGuild) permission to abuse the AutoRole configuration to auto-assign an Administrator-level role to newly joining members. No public exploit identified at time of analysis, but the attack path is fully documented in the GitHub Security Advisory GHSA-8vgg-4hpx-7qfg, making the technique trivially reproducible by anyone with the required guild permission.

Information Disclosure Quest Bot
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission in any guild delete AutoMod rules belonging to other guilds. The flaw stems from looking up rules by global database ID without verifying guild ownership, and rule IDs are discoverable via the bot's autocomplete feature. No public exploit identified at time of analysis, but the GitHub Security Advisory and patched release v1.0.5 are public.

Authentication Bypass Quest Bot
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Unsanitized reason text in Quest Bot's /unban and /unwarn Discord commands enables authenticated moderators to trigger mass pings against all server members. Versions prior to 1.0.5 of this open-source Discord moderation bot pass user-controlled reason strings directly into public bot messages without setting Discord's allowedMentions restriction, unlike other moderation commands that already suppress mention parsing. An attacker with moderator-level Discord permissions can embed @everyone or @here in any ban or warn reason to force mass notification delivery to all guild members. No active exploitation has been confirmed and no public exploit code has been identified at the time of analysis.

Information Disclosure Quest Bot
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Ticket transcript redirection in Quest Bot (prior to v1.0.4) allows a privileged user with bot settings access to configure the closed-ticket transcript destination to any channel they can read, exposing full private ticket histories to unauthorized parties. The bot fails to enforce parity between the access controls of the original ticket channel and the transcript destination, breaking the confidentiality boundary of the ticketing system. No public exploit code exists and no KEV listing applies; the CVSS 4.0 score of 5.7 reflects the high privilege requirement and passive user interaction needed to trigger exposure.

Information Disclosure Quest Bot
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Quest Bot, an open-source Discord moderation/utility bot, exposes private channel message contents to privileged users who should not have access to them. A user holding bot configuration privileges can enable the logging feature and direct logs to a channel they control, causing the bot to forward deleted and edited message content from all channels it can observe - including private channels the configuring user is explicitly excluded from reading. No public exploit has been identified at time of analysis, and a patch was released in version 1.0.4.

Information Disclosure Quest Bot
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Quest Bot (Discord moderation bot) prior to v1.0.4 allows low-privileged moderators to leverage the bot's elevated Discord mention permissions to send @everyone or @here notifications they are not themselves permitted to send. Moderation commands that echo user-supplied reason text in public channel replies do not suppress Discord's mention parser, creating a permission boundary bypass within the Discord API privilege model. No public exploit code exists and no active exploitation has been confirmed, though the conditions for abuse are operationally common in Discord servers where bots hold mention permissions above their moderating users.

Information Disclosure Quest Bot
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unsanitized output in Quest Bot's ticket creation workflow allows any unprivileged Discord server member to inject @everyone, @here, role mentions, or user mentions into ticket channel messages, causing the bot to trigger mass notifications. All Quest Bot versions prior to 1.0.3 are affected; the bot must hold Discord's 'Mention Everyone' permission for the attack to achieve its full impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Quest Bot
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Mass mention abuse in Quest Bot (open-source Discord moderation/utility bot) before version 1.0.3 allows any normal Discord user to schedule reminders containing @everyone or @here payloads that the bot later re-sends without mention suppression. Because the bot typically holds the Mention Everyone permission, the stored reminder text effectively grants unprivileged users the ability to ping an entire server or channel on demand. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the trivial reproduction path makes the abuse pattern likely once known.

Information Disclosure Quest Bot
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access to invoke moderator-only /automod add, /automod remove, and /automod list commands due to missing Discord default permission requirements and absent runtime permission checks. Exploitation enables a low-privileged member to register automod rules matching common text patterns, causing the bot to delete other users' legitimate messages. No public exploit identified at time of analysis, but the trivial nature of the abuse and public advisory increase likelihood of weaponization in active Discord servers.

Authentication Bypass Quest Bot
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only the Manage Server (ManageGuild) permission to abuse the AutoRole configuration to auto-assign an Administrator-level role to newly joining members. No public exploit identified at time of analysis, but the attack path is fully documented in the GitHub Security Advisory GHSA-8vgg-4hpx-7qfg, making the technique trivially reproducible by anyone with the required guild permission.

Information Disclosure Quest Bot
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy