Description
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6.
Published: 2026-06-12
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Quest Bot's automod add command trims user input but does not reject an empty result. This oversight allows the creation of an automod rule that contains only whitespace, which is stored as an empty string. The bot's message listener later checks if message content includes an empty string. Because every string contains an empty string, that condition is always true, causing the bot to delete every non‑bot message in the guild.

Affected Systems

The vulnerability affects the Duck Organization Quest Bot for Discord. Versions earlier than v1.1.6 are impacted. The bot operates within Discord guilds and leverages Discord’s API; any guild where the bot is installed with automod add permissions is at risk.

Risk and Exploitability

The CVSS vector shows a score of 8.4, indicating high severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Since the exploit requires the ability to add automod rules, an attacker would need at least administrator permissions in the Discord server or control over the bot's command interface. The attack is straightforward and does not require advanced techniques, but its impact is drastic, eliminating all guild messages.

Generated by OpenCVE AI on June 12, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quest Bot to version 1.1.6 or later, which removes the empty rule handling bug.
  • Restrict the automod add command to trusted administrators only and monitor command usage.
  • If an upgrade is not immediately possible, temporarily disable the automod feature or delete all existing automod rules to prevent unintended message deletions.

Generated by OpenCVE AI on June 12, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Duck-organization
Duck-organization questbot
Vendors & Products Duck-organization
Duck-organization questbot

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6.
Title Quest Bot: Empty automod rule causes every guild message to be deleted
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H'}

Subscriptions

Duck-organization Questbot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T15:00:29.677Z

Reserved: 2026-05-18T22:07:37.435Z

Link: CVE-2026-47196

cve-icon Vulnrichment

Updated: 2026-06-12T14:38:38.454Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T13:16:33.527

Modified: 2026-06-12T16:16:29.797

Link: CVE-2026-47196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:20:40Z

Weaknesses
  • CWE-20

    Improper Input Validation