Remote Code Execution in Red Discord Bot
Description
A remote code execution vulnerability in Red Discord Bot's Trivia module allows attackers with crafted usernames to inject code via the leaderboard command.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in Red Discord Bot's Trivia module allows attackers with crafted usernames to inject code via the leaderboard command.
Vulnerability
CVE-2020-15140 is a critical remote code execution (RCE) vulnerability in the Trivia module of Red Discord Bot prior to version 3.3.11. The root cause is improper sanitization of Discord usernames when the leaderboard command processes them, allowing an attacker to inject arbitrary code [1][4].
Exploitation
An attacker only needs a Discord account with a specifically crafted username and the ability to trigger the Trivia module's leaderboard command. No additional authentication or elevated privileges are required. The exploit can be executed by any Discord user who interacts with the bot in a server where the Trivia module is enabled [4].
Impact
Successful exploitation grants the attacker arbitrary code execution on the bot's host system. This can lead to destructive actions, such as deleting files or disrupting services, and access to sensitive information, including environment variables, tokens, or other data accessible to the bot process [1][4].
Mitigation
The vulnerability is patched in Red Discord Bot version 3.3.11. As a workaround, administrators can unload the Trivia module using the unload trivia command to remove the attack vector until an update is applied [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Red-DiscordBotPyPI | < 3.3.11 | 3.3.11 |
Affected products
2- Range: < 3.3.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-55j9-849x-26h4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15140ghsaADVISORY
- github.com/Cog-Creators/Red-DiscordBot/pull/4175/commits/9ab536235bafc2b42c3c17d7ce26f1cc64482a81ghsax_refsource_MISCWEB
- github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-55j9-849x-26h4ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/red-discordbot/PYSEC-2020-265.yamlghsaWEB
News mentions
0No linked articles in our index yet.