CVE-2026-48485
Description
Quest Bot before 1.1.6 fails to suppress mentions in stored warning reasons displayed by /warns, enabling delayed mass pings via @everyone or @here.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Quest Bot before 1.1.6 fails to suppress mentions in stored warning reasons displayed by /warns, enabling delayed mass pings via @everyone or @here.
Vulnerability
Quest Bot versions prior to 1.1.6 contain a stored mention-injection vulnerability in the /warns command. The /warn command suppresses mentions in its confirmation messages, but the warning reason is stored unchanged. When /warns later displays active warnings, it places the stored reason directly into the response content without disabling mentions, allowing @everyone or @here to trigger a mass ping if the bot has the required permission [2].
Exploitation
An attacker needs permission to use the /warn command and the bot must have permission to mention @everyone or @here. The attacker creates a warning with @everyone (or @here) in the reason field, then runs /warns on the target member. The bot outputs the stored reason, causing an immediate mass ping [2]. No user interaction beyond the attacker's actions is required.
Impact
A moderator who may not be allowed to mention everyone directly can abuse the bot to perform delayed mass notifications. The ping appears to come from the trusted bot, potentially disrupting large servers. The impact is primarily availability (server disruption) and integrity (spoofed trusted source). No code execution or data disclosure is involved.
Mitigation
The vulnerability is patched in Quest Bot version 1.1.6 [1]. Users should update to this version or later. As a workaround, restrict the bot's mention permissions or limit which roles can use the /warn command. No KEV listing exists for this CVE.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <1.1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stored warning reasons are printed by /warns without mention suppression, allowing delayed mass pings."
Attack vector
An attacker with permission to use `/warn` supplies a reason containing `@everyone` or `@here`. The warning confirmation suppresses the mention, so no ping occurs at that moment. Later, when `/warns` displays the stored reason, the bot emits the mention without suppression, causing a mass ping if the bot has the required permission. This is a stored mention-injection attack [ref_id=1].
Affected code
The vulnerability exists in the `/warn` command's reason handling and the `/warns` command's output. The `/warn` command stores the reason unchanged, and `/warns` prints it without mention suppression, unlike other commands that suppress mentions. The advisory does not specify exact file paths or function names beyond the command names `/warn` and `/warns`.
What the fix does
The patch (version 1.1.6) applies mention suppression to the `/warns` command output, mirroring the suppression already present in the `/warn` confirmation messages. This ensures that stored warning reasons cannot trigger mass pings when displayed later. The advisory does not show the exact diff, but the fix closes the delayed injection path by sanitizing the output at the sink.
Preconditions
- configBot must have permission to mention @everyone / @here in the guild
- authAttacker must have permission to use the /warn command
- inputAttacker supplies a reason containing @everyone or @here
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.