CVE-2026-47175 - Vulnerability Details - OpenCVE

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to mention everyone can still make the bot send @everyone or @here if the bot has that permission. This issue has been patched in version 1.0.4.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4
https://github.com/duck-organization/questbot/security/advisories/GHSA-556x-7wgq-25fp

History

Thu, 11 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to mention everyone can still make the bot send @everyone or @here if the bot has that permission. This issue has been patched in version 1.0.4.
Title		Quest Bot: Moderation reason fields allow bot-powered `@everyone` / `@here` pings
Weaknesses		CWE-116
References		https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4 https://github.com/duck-organization/questbot/security/advisories/GHSA-556x-7wgq-25fp
Metrics		cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-11T18:29:43.264Z

Updated: 2026-06-11T18:29:43.264Z

Reserved: 2026-05-18T21:25:34.497Z

Link: CVE-2026-47175

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-11T19:16:45.730

Modified: 2026-06-11T19:16:45.730

Link: CVE-2026-47175

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-47175", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-18T21:25:34.497Z", "datePublished": "2026-06-11T18:29:43.264Z", "dateUpdated": "2026-06-11T18:29:43.264Z"}, "containers": {"cna": {"title": "Quest Bot: Moderation reason fields allow bot-powered `@everyone` / `@here` pings", "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/duck-organization/questbot/security/advisories/GHSA-556x-7wgq-25fp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-556x-7wgq-25fp"}, {"name": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4"}], "affected": [{"vendor": "duck-organization", "product": "quest-bot", "versions": [{"version": "< 1.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-11T18:29:43.264Z"}, "descriptions": [{"lang": "en", "value": "Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to mention everyone can still make the bot send @everyone or @here if the bot has that permission. This issue has been patched in version 1.0.4."}], "source": {"advisory": "GHSA-556x-7wgq-25fp", "discovery": "UNKNOWN"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to mention everyone can still make the bot send @everyone or @here if the bot has that permission. This issue has been patched in version 1.0.4."}], "id": "CVE-2026-47175", "lastModified": "2026-06-11T19:16:45.730", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-06-11T19:16:45.730", "references": [{"source": "[email protected]", "url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4"}, {"source": "[email protected]", "url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-556x-7wgq-25fp"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "[email protected]", "type": "Primary"}]}