CVE-2026-47188
Deferred Deferred - Pending Action

Unrestricted Mention Disclosure in Quest Bot

Vulnerability report for CVE-2026-47188, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-13

Assigner: GitHub, Inc.

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the latest release suppresses mentions in several moderation commands, but /unban and /unwarn still echo user-controlled reason text in public bot messages without allowedMentions. A moderator can use @everyone or @here in the reason and make the bot send a mass ping. This issue has been patched in version 1.0.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-13
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
duck_organization questbot to 1.0.5 (exc)
duck_organization questbot 1.0.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows moderators to send mass mentions via bot messages without proper sanitization, causing unwanted notifications to users. However, there is no information provided about any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-47188 is a vulnerability in the Quest Bot, an open-source Discord moderation bot. In versions prior to 1.0.5, the bot's /unban and /unwarn commands echo user-supplied reason text in public messages without properly restricting mentions. This means a moderator can include @everyone or @here in the reason, causing the bot to send mass notifications to all users in the Discord server.

The root cause is that the bot does not use allowedMentions restrictions when replying with the reason text, allowing user-controlled content to trigger unwanted pings. This issue was fixed in version 1.0.5.

Impact Analysis

This vulnerability can lead to unwanted mass notifications in your Discord server. A moderator with Ban or Moderate Members permissions can exploit the /unban or /unwarn commands to cause the bot to ping all users (@everyone or @here) by including those mentions in the reason text.

The impact is mostly nuisance and potential disruption, as many users will receive unexpected notifications appearing to come from a trusted bot. The severity is rated low with a CVSS score of 2.3.

Detection Guidance

This vulnerability can be detected by monitoring the bot's public messages for unexpected mass mentions such as @everyone or @here that appear in response to /unban or /unwarn commands.

Specifically, you can check the bot's logs or message history for confirmation messages that include user-controlled reason text containing mass mentions.

Since the issue involves the bot echoing raw reason text without allowedMentions sanitization, commands or scripts that search for messages from the bot containing @everyone or @here in the context of unban or unwarn actions can help detect exploitation.

Example commands might include using Discord API queries or bot log inspections to find messages with these patterns, but no specific commands are provided in the available information.

Mitigation Strategies

The immediate mitigation step is to upgrade the Quest Bot to version 1.0.5 or later, where this vulnerability has been patched.

This update includes proper handling of allowedMentions in the /unban and /unwarn commands, preventing the bot from sending mass pings via user-controlled reason text.

Additionally, review and restrict moderator permissions to ensure only trusted users have Ban Members or Moderate Members permissions, as exploitation requires these privileges.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47188. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart