VYPR
← All advisories
Low severityNVD Advisory· Published Jun 11, 2026· Updated Jun 11, 2026

CVE-2026-47175

CVE-2026-47175

Description

Quest Bot before 1.0.4 allows moderators to abuse moderation commands to trigger @everyone/@here pings via reason fields.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Quest Bot before 1.0.4 allows moderators to abuse moderation commands to trigger @everyone/@here pings via reason fields.

Vulnerability

Quest Bot, an open-source Discord bot, prior to version 1.0.4 contains a vulnerability in several moderation commands (/ban, /unban, /kick, /mute, /unmute, /warn, /unwarn). These commands echo user-controlled reason text in public bot replies without disabling mention parsing. If the bot has permission to mention @everyone or @here, a moderator who does not have that permission can still cause the bot to send such mentions. All versions before 1.0.4 are affected [1][2].

Exploitation

An attacker must have at least one moderation permission (e.g., Moderate Members, Kick Members, Ban Members) and the bot must have the ability to mention @everyone or @here. The attacker runs a moderation command with a reason containing @everyone or @here. The bot immediately posts a public confirmation message that includes the mention, triggering a mass notification. The attacker can then cancel the action, but the ping has already occurred [2].

Impact

A lower-level moderator can abuse the bot to perform mass notification spam that they may not be allowed to perform directly. This can disrupt large servers, generate unwanted notifications, and make the abuse appear to originate from the bot. The impact is limited to spam and annoyance; no data compromise or privilege escalation is involved [2].

Mitigation

The issue is patched in version 1.0.4, as indicated by the release and security advisory [1][2]. Users should update Quest Bot to version 1.0.4 or later. No workaround is documented; the fix likely disables mention parsing in reason fields for moderation commands.

References
  1. Release questbot-v1.0.4 · duck-organization/questbot
  2. Moderation reason fields allow bot-powered `@everyone` / `@here` pings

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing."

Attack vector

An attacker who has one moderation permission (e.g. Moderate Members, Kick Members, or Ban Members) but lacks the 'Mention Everyone' permission can supply a reason string containing `@everyone` or `@here` to any of the affected commands [ref_id=1]. The bot echoes this reason in a public confirmation message before the moderation action is finalized, and if the bot itself has mass-mention permission, Discord parses the mention and sends a notification to the entire channel. The attacker can then cancel the action, but the ping has already occurred.

Affected code

The moderation commands `/ban`, `/unban`, `/kick`, `/mute`, `/unmute`, `/warn`, and `/unwarn` echo the user-supplied reason text in public bot replies without disabling mention parsing. The vulnerable sink is the bot's public confirmation and result messages.

What the fix does

The advisory states the issue is patched in version 1.0.4 but does not include a diff. The fix would need to disable mention parsing (e.g. by escaping `@` characters or using Discord's `allowed_mentions` option) in the bot's reply messages for the affected moderation commands, so that user-controlled reason text is displayed literally rather than triggering mass mentions.

Preconditions

  • networkBot must be in a guild channel where it can send messages
  • configBot must have permission to mention @everyone / @here
  • authAttacker must have one moderation permission (e.g. Moderate Members, Kick Members, or Ban Members)
  • authAttacker does not need their own Mention Everyone permission

Reproduction

Setup assumptions: Bot is in a guild channel where it can send messages. Bot has permission to mention @everyone / @here. Attacker has one moderation permission needed for the selected command, such as Moderate Members, Kick Members, or Ban Members. Attacker does not need their own Mention Everyone permission. Steps: 1. As the attacker, run: `/warn member:@Target reason:@everyone test`. 2. Observe the bot's confirmation message. 3. Expected result: The bot posts a public confirmation message containing @everyone. 4. If the bot has mass-mention permission, the guild/channel receives an @everyone notification. 5. The attacker can press Cancel afterward; the ping has already happened. Alternative payload: `/kick member:@Target reason:@here test`. Expected result: The bot posts the confirmation message and triggers @here if Discord allows the bot to use that mention.

Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.