Quest Bot: Ticket reason allows mass-mention injection_CVE-2026-47173

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions. If the bot has permission to use those mentions, the attacker can make the bot ping staff or everyone with access to the ticket channel. This issue has been patched in version 1.0.3.

Basic Information

ID CVE-2026-47173

Source GitHub_M

Published Jun 11, 2026 at 18:29

Affected Product

Vendor duck-organization

Product quest-bot

Version < 1.0.3

Affected Versions duck-organization quest-bot < 1.0.3

CWE Classification

CWE-116

References

{
    "lastseen": "",
    "description": "Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions. If the bot has permission to use those mentions, the attacker can make the bot ping staff or everyone with access to the ticket channel. This issue has been patched in version 1.0.3.",
    "published": "2026-06-11T18:29:32.344Z",
    "modified": "2026-06-11T18:29:32.344Z",
    "type": "cve",
    "title": "Quest Bot: Ticket reason allows mass-mention injection",
    "source": "GitHub_M",
    "references": "https://github.com/duck-organization/questbot/security/advisories/GHSA-27xg-395c-xfcx\nhttps://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3",
    "id": "CVE-2026-47173",
    "bulletinFamily": "",
    "cwe": [
        "CWE-116"
    ],
    "cvelist": null,
    "sourceData": "duck-organization quest-bot < 1.0.3",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "quest-bot",
    "version": "< 1.0.3",
    "vendor": "duck-organization",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}