CVE-2026-47173— Quest Bot: Ticket reason allows mass-mention injection
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| duck-organization | quest-bot | < 1.0.3 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47173
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Quest Bot: Ticket reason allows mass-mention injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions. If the bot has permission to use those mentions, the attacker can make the bot ping staff or everyone with access to the ticket channel. This issue has been patched in version 1.0.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对输出编码和转义不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Quest Bot 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Quest Bot是Duck Organization开源的一款多功能Discord社区管理机器人。 Quest Bot 1.0.3之前版本存在安全漏洞,该漏洞源于工单创建时未抑制提及,可能导致攻击者使机器人向工作人员或频道成员发送提及。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| duck-organization | quest-bot | < 1.0.3 | - |
II. Public POCs for CVE-2026-47173
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-47173
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-47173 (1)
Vendor Pages for CVE-2026-47173 (1)
- 🔗 Release questbot-v1.0.3 · duck-organization/questbot · GitHubx_refsource_MISC
Same Patch Batch · duck-organization · 2026-06-11 · 11 CVEs total
| CVE-2026-47188 | Quest Bot: Unban and unwarn reason fields still allow bot-powered mass mentions. | |
| CVE-2026-47189 | Quest Bot: AutoMod removal can delete rules from another guild by global rule ID | |
| CVE-2026-47163 | Quest Bot: Unprivileged users can create and remove AutoMod rules. | |
| CVE-2026-47175 | Quest Bot: Moderation reason fields allow bot-powered `@everyone` / `@here` pings | |
| CVE-2026-47177 | Quest Bot: Ticket transcripts can disclose private ticket contents to a lower-visibility c | |
| CVE-2026-47174 | Duck Site: Untrusted pull request code can trigger privileged production deployment | |
| CVE-2026-47176 | Quest Bot: Logging module can disclose private-channel message contents to a lower-visibil | |
| CVE-2026-47171 | Quest Bot: Reminder messages allow stored mass mentions through `@everyone` and `@here` | |
| CVE-2026-47172 | Quest Bot: Untrusted pull request code can be built and deployed by privileged `workflow_r | |
| CVE-2026-47169 | Quest Bot: Manage Server users can configure AutoRole to grant Administrator to controlled |
IV. Related Vulnerabilities
Same product: quest-bot
- CVE-2026-47189
Quest Bot: AutoMod removal can delete rules from another gui - CVE-2026-47188
Quest Bot: Unban and unwarn reason fields still allow bot-po - CVE-2026-47177
Quest Bot: Ticket transcripts can disclose private ticket co - CVE-2026-47176
Quest Bot: Logging module can disclose private-channel messa - CVE-2026-47175
Quest Bot: Moderation reason fields allow bot-powered `@ever
Same vendor: duck-organization
- CVE-2026-49347
Quest Bot: Ticket creation has no per-user open-ticket limit - CVE-2026-48485
Quest Bot: Stored warn reasons can still trigger bot-powered - CVE-2026-47197
Quest Bot: Discord moderation role hierarchy bypass in ban, - CVE-2026-47195
Quest Bot: Per-channel permission overwrite bypass in purge - CVE-2026-47196
Quest Bot: Empty automod rule causes every guild message to
Same weakness: CWE-116
- CVE-2026-47206
Dragonfly: RESP Protocol Injection via Lua redis.error_reply - CVE-2026-52846
Caddy: stripHTML template function bypass - CVE-2026-56379
ImageMagick - Command Injection via SVG Decoder - CVE-2026-54287
Hono: AWS Lambda adapter merges multiple `Set-Cookie` header - CVE-2026-44913
Apache NiFi: Improper Escaping of Table Names in CaptureChan
V. Comments for CVE-2026-47173
No comments yet