Description
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When the reminder triggers, the bot sends the stored message back into the channel without suppressing mass mentions. If the bot has permission to mention everyone, the reminder can ping the entire server or channel later. This issue has been patched in version 1.0.3.
Published: 2026-06-11
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability enables a normal user to create a reminder containing @everyone or @here. When the reminder expires, Quest Bot reposts the stored message into the channel without suppressing mass mentions. If the bot is granted permission to mention everyone, the reminder can ping the entire server or channel, resulting in widespread notifications and potential disruption. The weakness stems from improper handling of mass mention tokens in stored messages, categorized as CWE‑116.

Affected Systems

The issue affects the Discord bot family Quest Bot by duck‑organization. Versions prior to 1.0.3 are vulnerable; the fix was introduced in release 1.0.3.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker be a regular user on the Discord server and that the bot possesses "Mention Everyone" privileges. Once those conditions are met, the attacker can trigger the reminder to broadcast mass mentions, which may lead to noise, potential DoS by exhausting resources, and severe annoyance for members.

Generated by OpenCVE AI on June 11, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quest Bot to version 1.0.3 or later.
  • Revoke or restrict the bot’s "Mention Everyone" permission on the Discord server to prevent mass mentions.
  • Disable the reminder feature or monitor the bot’s messages for unexpected mass mentions as a temporary workaround.

Generated by OpenCVE AI on June 11, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When the reminder triggers, the bot sends the stored message back into the channel without suppressing mass mentions. If the bot has permission to mention everyone, the reminder can ping the entire server or channel later. This issue has been patched in version 1.0.3.
Title Quest Bot: Reminder messages allow stored mass mentions through `@everyone` and `@here`
Weaknesses CWE-116
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T18:59:23.300Z

Reserved: 2026-05-18T21:25:34.497Z

Link: CVE-2026-47171

cve-icon Vulnrichment

Updated: 2026-06-11T18:59:05.539Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T19:16:45.080

Modified: 2026-06-11T20:58:18.123

Link: CVE-2026-47171

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:15:09Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output