CVE-2026-47175
Deferred Deferred - Pending Action

Stored XSS in Quest Bot via Moderation Commands

Vulnerability report for CVE-2026-47175, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-13

Assigner: GitHub, Inc.

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to mention everyone can still make the bot send @everyone or @here if the bot has that permission. This issue has been patched in version 1.0.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-13
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
duck-organization questbot to 1.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-47175 is a vulnerability in the Quest Bot, an open-source Discord moderation bot. Before version 1.0.4, certain moderation commands like /ban, /kick, /mute, and /warn would echo user-provided reason text in public bot replies without disabling mention parsing.

This means a moderator who does not have permission to mention everyone can still cause the bot to send @everyone or @here mentions if the bot itself has that permission. An attacker can include these mentions in the reason field, triggering mass notifications in public confirmation messages before the moderation action is confirmed or even canceled.

The root cause is improper handling of user input, specifically a failure to sanitize or escape mention syntax, leading to unauthorized mass mentions.

Impact Analysis

This vulnerability can be exploited to cause disruption in large Discord servers by sending unwanted mass notifications using @everyone or @here pings.

It allows attackers with limited moderation permissions to abuse the bot to send these notifications, even if they themselves do not have permission to mention everyone.

Such abuse can lead to spam, annoyance for server members, and damage to trust since the notifications appear to come from a trusted bot.

Detection Guidance

Detection of this vulnerability involves monitoring bot replies for unexpected @everyone or @here mentions triggered by moderation commands such as /ban, /kick, /mute, and /warn.

Specifically, look for public bot confirmation messages that echo user-provided reason text containing @everyone or @here mentions, especially if the moderator issuing the command does not have permission to mention everyone.

Since the issue is related to the bot echoing unescaped mention syntax, you can audit bot logs or message histories for such patterns.

There are no specific commands provided in the available resources to detect this vulnerability on your system or network.

Mitigation Strategies

The primary mitigation step is to upgrade the Quest Bot to version 1.0.4 or later, where this vulnerability has been patched.

Until the upgrade is applied, restrict the bot's permission to send @everyone or @here mentions to prevent abuse.

Additionally, limit the moderation permissions of users who can issue commands that echo reason text, or implement manual review of reason inputs to avoid mention abuse.

Compliance Impact

The vulnerability allows attackers with limited moderation permissions to cause the bot to send unauthorized mass notifications using @everyone or @here mentions. This can lead to disruption and unwanted notifications in large servers.

However, there is no information provided that directly links this vulnerability to violations or impacts on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47175. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart