CVE-2026-47173
Description
Quest Bot up to v1.0.2 fails to suppress mentions in ticket reasons, letting attackers ping @everyone or roles.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Quest Bot up to v1.0.2 fails to suppress mentions in ticket reasons, letting attackers ping @everyone or roles.
Vulnerability
Quest Bot, an open-source Discord bot for moderation and utilities, allows any user to create a ticket via a public panel. Prior to version 1.0.3, the reason field submitted during ticket creation is included in the bot's message posted in the new ticket channel without sanitizing mention tokens such as @everyone, @here, user mentions (<@USER_ID>), or role mentions (<@&ROLE_ID>). The bot does not disable Discord's built-in mention parsing, enabling the user-controlled reason to trigger mass mentions if the bot has the required permissions [1].
Exploitation
An attacker only needs access to a guild where Quest Bot is installed, a ticket panel is available, and the bot has permission to mention @everyone, @here, or specific roles in ticket channels. The attack involves creating a ticket and entering a mention-based payload (e.g., @everyone urgent test) as the reason. The bot then sends the message with the unsanitized reason, and Discord parses the mention tokens, notifying all users in that channel. No authentication bypass or elevated privileges are required [1].
Impact
Successful exploitation allows an unprivileged user to mass-mention users or roles, causing notification spam and disruption. This can lead to temporary denial of service for staff or community members and potential social engineering attacks, as the mention appears to come from the trusted bot. The attacker does not gain code execution or elevated permissions within the bot or server [1].
Mitigation
The issue is patched in version 1.0.3, released on the same day as the advisory (2026-06-11) [2]. Administrators should update Quest Bot to version 1.0.3 or later. If immediate patching is not possible, a workaround is to revoke the bot's Mention @everyone, @here, and All Roles permission in all ticket channels, though this may limit functionality. No known KEV listing exists for this CVE.
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <1.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-controlled ticket reason is included in the bot's message without escaping mention syntax or disabling allowed mentions."
Attack vector
A normal guild member opens a ticket panel and submits a reason containing mention tokens such as `@everyone`, `@here`, `<@user_id>`, or `<@&role_id>`. The bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions, causing Discord to parse the tokens as real mentions [ref_id=1]. If the bot has permission to use those mentions, the attacker can ping staff or everyone with access to the ticket channel.
Affected code
The ticket creation flow in Quest Bot prior to version 1.0.3 accepts a user-controlled reason from the ticket creation modal and includes it directly in the bot's ticket-opening message without escaping mention syntax or disabling allowed mentions [ref_id=1].
What the fix does
The patch in version 1.0.3 escapes mention syntax or disables allowed mentions when the bot sends the ticket-opening message, preventing Discord from parsing user-controlled mention tokens as real pings [ref_id=1]. The advisory does not show the exact diff, but the fix ensures that attacker-supplied ticket reasons are no longer emitted as actionable mentions.
Preconditions
- configTicket system must be configured with a public ticket panel
- configBot must have permission to create ticket channels and send messages in them
- configFor @everyone/@here impact, bot must have permission to mention everyone in the ticket channel
- configFor role mention impact, the target role must be mentionable or Discord must allow the bot to mention it
Reproduction
1. As a normal guild member, click the Create Ticket button. 2. In the reason field, enter: `@everyone urgent test` 3. Submit the modal. 4. The bot creates a ticket channel and posts the ticket-opening message containing the attacker-controlled reason. 5. If the bot has mass-mention permission, @everyone is parsed as a real mention and notifies everyone with access to that ticket channel.
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.