CVE-2026-47173
Deferred Deferred - Pending Action

Mention Abuse in Quest Bot Ticket Creation

Vulnerability report for CVE-2026-47173, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions. If the bot has permission to use those mentions, the attacker can make the bot ping staff or everyone with access to the ticket channel. This issue has been patched in version 1.0.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-12
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
duck_organization questbot to 1.0.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-47173 is a vulnerability in the Quest Bot, an open-source Discord bot used for moderation and support. Before version 1.0.3, any normal user could create a ticket with a reason containing Discord mention syntax such as @everyone, @here, user mentions, or role mentions.

When the bot created the ticket channel, it posted the attacker-controlled reason without suppressing these mentions. If the bot had permission to use those mentions, the attacker could cause the bot to ping staff or everyone with access to the ticket channel.

This issue arises from improper handling of user input, specifically the failure to escape mention syntax or disable allowed mentions when sending the ticket-opening message.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can be exploited by any guild member with access to the ticket system to send mass mentions through the bot.

  • It can spam staff or other users by triggering unwanted pings.
  • It can disrupt support workflows by flooding ticket channels with notifications.
  • It can abuse trust since the mentions appear to come from the bot rather than a direct user action.

The exploit requires no special privileges or complex conditions, making it easily accessible and potentially damaging to the integrity and availability of the support system.

Detection Guidance

This vulnerability can be detected by monitoring ticket creation messages in the Quest Bot for the presence of unescaped Discord mention syntax such as @everyone, @here, user mentions (<@user_id>), or role mentions (<@&role_id>). If these mentions appear in ticket reasons and result in actual pings, the system is vulnerable.

Since the issue involves the bot posting attacker-controlled reasons without suppressing mentions, you can check logs or audit messages sent by the bot for mention patterns.

There are no specific commands provided in the resources, but you can use Discord bot logs or API queries to search for messages containing mention syntax in ticket channels.

Mitigation Strategies

The immediate mitigation step is to upgrade Quest Bot to version 1.0.3 or later, where this vulnerability has been patched.

Until the upgrade is applied, restrict user permissions to create tickets or sanitize user input to prevent mention syntax from being posted by the bot.

Review and adjust the bot's permissions to limit its ability to send mentions if possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart