VYPR
← All advisories
High severityNVD Advisory· Published Jun 11, 2026· Updated Jun 11, 2026

CVE-2026-47171

CVE-2026-47171

Description

Quest Bot prior to 1.0.3 allows normal users to create reminders with @everyone/@here, which the bot sends without suppressing mass mentions, enabling unauthorized server-wide pings.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Quest Bot prior to 1.0.3 allows normal users to create reminders with @everyone/@here, which the bot sends without suppressing mass mentions, enabling unauthorized server-wide pings.

Vulnerability

The vulnerability resides in the reminder feature of Quest Bot, an open-source Discord bot, in versions prior to 1.0.3. The bot accepts a user-supplied message when creating a reminder via the /reminder add command. This message is stored and later sent by the scheduler when the reminder becomes due. The input is not sanitized, and mass mentions (@everyone, @here) are not disabled when sending the reminder. Affected versions: all before 1.0.3. [1]

Exploitation

An attacker needs only a normal user account with access to the reminder command. The bot must have permission to mention @everyone or @here in the target channel. The attacker creates a reminder with a short duration and a message containing @everyone or @here. When the reminder triggers, the bot posts the stored message into the channel, and if the bot has mass-mention permission, it pings all members (or online members for @here). The asynchronous nature allows the ping to occur after the original command response disappears. [1]

Impact

A normal user can cause the bot to send a mass mention to the entire server or channel, disrupting communication and potentially causing annoyance or confusion. The attacker gains no code execution or data access, but can abuse the bot's permissions to perform unauthorized notifications. The impact is limited to social disruption and potential spam. [1]

Mitigation

The issue is patched in version 1.0.3, released on the same date as the advisory (2026-06-11). Users should update to questbot-v1.0.3 or later. No workaround is provided; the fix likely involves sanitizing reminder messages or disabling mass mentions when sending reminders. [1][2]

References
  1. Reminder messages allow stored mass mentions through `@everyone` and `@here`
  2. Release questbot-v1.0.3 · duck-organization/questbot

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The reminder message is not sanitized and mass mentions are not disabled when sending the reminder, allowing stored mass pings."

Attack vector

An attacker with access to the `/reminder add` command creates a reminder with a short duration and a message containing `@everyone` or `@here` [ref_id=1]. When the reminder becomes due, the bot posts the stored message into the channel without suppressing mass mentions. If the bot has permission to mention everyone in that channel, the reminder triggers a real mass notification. Because the reminder fires asynchronously, the ping can occur after the original command response disappears, making attribution harder [ref_id=1].

Affected code

The reminder feature in Quest Bot accepts a user-controlled message via the `/reminder add` command. That message is stored and later sent by the scheduler without sanitizing mass mentions or disabling the ability to ping `@everyone`/`@here`. The vulnerable input is the reminder message; the vulnerable sink is the bot sending the stored content into a guild channel.

What the fix does

The advisory states the issue is patched in version 1.0.3 but does not include a diff. The fix presumably sanitizes the reminder message to strip or escape mass mentions before storage, or disables mass mentions (e.g., by setting `allowed_mentions` to an empty list) when the bot sends the reminder into the channel. Without the patch diff, the exact mechanism is not visible.

Preconditions

  • configThe `/reminder add` command must be available to the attacker.
  • configThe bot must have permission to mention @everyone / @here in the target channel.
  • configThe bot must be able to send messages in the target channel.

Reproduction

1. In a guild channel, run `/reminder add duration:30s message:@everyone test`. 2. Wait 30 seconds for the reminder to become due. 3. The bot posts the reminder in the channel and includes the attacker-controlled `@everyone` text. If the bot has mass-mention permission, the message notifies everyone who can be pinged by `@everyone` in that channel. 4. A second payload also works: `/reminder add duration:30s message:@here test`.

Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.