CVE-2026-47188 | Quest Bot is an opensource modern Discord Bot built for mode… | CVSS 2.3 LOW

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the latest release suppresses mentions in several moderation commands, but /unban and /unwarn still echo user-controlled reason text in public bot messages without allowedMentions. A moderator can use @everyone or @here in the reason and make the bot send a mass ping. This issue has been patched in version 1.0.5.

Metadata

CVE ID: CVE-2026-47188
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-18 22:07 UTC
Published: 2026-06-11 18:30 UTC
Last updated: 2026-06-13 02:32 UTC
Primary CWE: CWE-116
CWE-116: Improper Encoding or Escaping of Output
Vendor / Product: duck-organization / quest-bot
Sources: cve.org · NVD

Severity & Metrics

2.3 LOW CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
duck-organization	quest-bot	—	< 1.0.5

Weakness (CWE)

CWE	Source	Description
CWE-116	cna	CWE-116: Improper Encoding or Escaping of Output

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.3	LOW	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References (2)

https://github.com/duck-organization/questbot/security/advisories/GHSA-r978-qqg9-vvxw https://github.com/duck-organization/questbot/security/advisories/GHSA-r978-qqg9-vvxw
https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.5 https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.5