CVE-2026-47171 | THREATINT

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When the reminder triggers, the bot sends the stored message back into the channel without suppressing mass mentions. If the bot has permission to mention everyone, the reminder can ping the entire server or channel later. This issue has been patched in version 1.0.3.

PUBLISHED Reserved 2026-05-18 | Published 2026-06-11 | Updated 2026-06-11 | Assigner GitHub_M

HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-116: Improper Encoding or Escaping of Output

Product status

< 1.0.3

affected

References

github.com/...estbot/security/advisories/GHSA-vmgg-f3m4-6fcv exploit

github.com/...estbot/security/advisories/GHSA-vmgg-f3m4-6fcv

github.com/...nization/questbot/releases/tag/questbot-v1.0.3

cve.org (CVE-2026-47171)

nvd.nist.gov (CVE-2026-47171)

Download JSON