CVE-2026-47188
Description
Pre-1.0.5 QuestBot /unban and /unwarn commands echo user-controlled reason text without blocking @everyone/@here, allowing a moderator to trigger mass pings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pre-1.0.5 QuestBot /unban and /unwarn commands echo user-controlled reason text without blocking @everyone/@here, allowing a moderator to trigger mass pings.
Vulnerability
The vulnerability exists in QuestBot versions prior to 1.0.5. The /unban and /unwarn commands echo the user-provided reason in public bot messages without sanitizing mentions, specifically in functions UnbanCommand.chatInputRun (apps/bot/src/commands/moderation/ban/unban.ts) and UnwarnCommand.chatInputRun (apps/bot/src/commands/moderation/warn/unwarn.ts). These commands send raw reason content in interaction replies and updates without setting allowedMentions. [2]
Exploitation
An attacker must have the "Ban Members" permission for /unban or "Moderate Members" for /unwarn, and the bot must have permission to mention @everyone or @here. The attacker supplies a reason containing @everyone or @here. The bot posts a confirmation message that includes the mention, triggering a mass ping. The attacker can then cancel the action, but the ping has already been sent. [2]
Impact
A moderator can abuse the bot to send unwanted mass notifications, even if the moderator lacks direct mention permission. The ping appears to come from the trusted bot, causing disruption. This is a low-severity issue primarily affecting channel/server notifications. [2]
Mitigation
The issue is fixed in QuestBot version 1.0.5, released on the same date as the advisory [1]. The fix ensures that allowedMentions settings are applied to all moderation command replies. No workaround is available for versions before 1.0.5; users should update immediately. [1][2]
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing `allowedMentions` suppression on user-controlled reason text in `/unban` and `/unwarn` confirmation messages allows mass-mention injection."
Attack vector
An attacker who has the Ban Members permission (for `/unban`) or Moderate Members permission (for `/unwarn`) provides a reason containing `@everyone` or `@here`. The bot posts a confirmation message that includes the raw reason text, causing Discord to process the mass mention. The attacker can then cancel the action, but the ping has already been sent. The attacker does not need their own Mention Everyone permission. [ref_id=1]
Affected code
The vulnerability exists in `apps/bot/src/commands/moderation/ban/unban.ts` (function `UnbanCommand.chatInputRun`) and `apps/bot/src/commands/moderation/warn/unwarn.ts` (function `UnwarnCommand.chatInputRun`). These two commands echo the user-supplied reason field in public bot confirmation messages without applying `allowedMentions`, unlike other moderation commands that were already patched. [ref_id=1]
What the fix does
The patch (version 1.0.5) adds `allowedMentions` suppression to the `/unban` and `/unwarn` reply paths, preventing the bot from processing `@everyone`, `@here`, or user mentions embedded in the reason text. This closes the gap left when other moderation commands were previously hardened. [ref_id=1]
Preconditions
- configBot must be in a guild channel where it can send messages
- configBot must have permission to mention @everyone or @here
- authAttacker must have Ban Members permission for /unban, or Moderate Members permission for /unwarn
- inputAttacker provides a reason containing @everyone or @here
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.