CVE Catalog

CVE-2026-47173

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

13th percentile — higher than 13% of all known CVEs

Summary

Quest Bot is a modern Discord bot that, prior to version 1.0.3, allowed normal users to create tickets with reasons containing @everyone, @here, user mentions, or role mentions. When the ticket was created, the bot posted the attacker-controlled reason into the new ticket channel without suppressing mentions.

Risk Assessment

An attacker could exploit this vulnerability to ping staff or everyone with access to the ticket channel, potentially leading to unauthorized notifications and disruption of team operations.

Recommendation

It is recommended to update the bot to version 1.0.3 or later to eliminate this vulnerability and secure the system against potential attacks.

Original NVD description (English source)

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions. If the bot has permission to use those mentions, the attacker can make the bot ping staff or everyone with access to the ticket channel. This issue has been patched in version 1.0.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS