CVE-2026-47171
Deferred Deferred - Pending Action

Mass Mention Abuse in Quest Bot Reminder Feature

Vulnerability report for CVE-2026-47171, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When the reminder triggers, the bot sends the stored message back into the channel without suppressing mass mentions. If the bot has permission to mention everyone, the reminder can ping the entire server or channel later. This issue has been patched in version 1.0.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
duck-organization questbot to 1.0.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Quest Bot reminder feature (versions prior to 1.0.3). A normal user can create a reminder message that includes Discord mass mentions such as @everyone or @here.

When the reminder triggers, the bot sends the stored message back into the channel without suppressing these mass mentions. If the bot has permission to mention everyone, this can result in pinging the entire server or channel later.

The issue arises because user input is not sanitized and the bot does not suppress mass mentions in reminder messages, allowing delayed mass notifications that can disrupt servers and spam members.

Impact Analysis

This vulnerability can impact you by allowing a normal user to send mass notifications to an entire Discord server or channel without proper authorization.

Such mass pings can disrupt server operations, annoy or spam members, and potentially abuse the trust users place in the bot.

The exploitation requires the bot to have permissions to send messages and mention everyone, and the reminder command to be available.

Detection Guidance

This vulnerability can be detected by checking if the Quest Bot version in use is prior to 1.0.3 and if it allows normal users to create reminders containing mass mentions like @everyone or @here.

Since the issue involves the bot sending reminder messages with unsuppressed mass mentions, monitoring Discord channels for unexpected mass pings triggered by reminders can help detect exploitation.

There are no specific commands provided in the resources to detect this vulnerability directly on the network or system.

Mitigation Strategies

The immediate mitigation step is to upgrade the Quest Bot to version 1.0.3 or later, where this vulnerability has been patched.

Additionally, review and restrict the bot's permissions to mention @everyone or @here if possible, to reduce the impact of any potential exploitation.

Monitor and audit reminders created by users to ensure they do not contain mass mentions until the bot is updated.

Compliance Impact

The vulnerability allows a normal user to create reminders containing mass mentions (@everyone or @here) that the bot sends without suppression, potentially causing spam and disruption in Discord servers.

While this behavior can lead to abuse of trust and disruption, there is no direct information in the provided context or resources linking this vulnerability to violations of common standards or regulations such as GDPR or HIPAA.

Therefore, based on the available information, it is unclear how this vulnerability specifically impacts compliance with data protection or privacy regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47171. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart