Search
Find a vulnerability
Search criteria
10 vulnerabilities found for questbot by duck-organization
CVE-2026-49347 (GCVE-0-2026-49347)
Vulnerability from nvd – Published: 2026-06-12 11:54 – Updated: 2026-06-12 13:41
VLAI
Title
Quest Bot: Ticket creation has no per-user open-ticket limit or cooldown
Summary
Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/duck-organization/questbot/sec… | x_refsource_CONFIRM |
| https://github.com/duck-organization/questbot/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| duck-organization | questbot |
Affected:
< 1.1.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49347",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T13:41:37.941109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:41:50.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-r56q-v363-367q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "questbot",
"vendor": "duck-organization",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T11:54:07.695Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/duck-organization/questbot/security/advisories/GHSA-r56q-v363-367q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-r56q-v363-367q"
},
{
"name": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.8"
}
],
"source": {
"advisory": "GHSA-r56q-v363-367q",
"discovery": "UNKNOWN"
},
"title": "Quest Bot: Ticket creation has no per-user open-ticket limit or cooldown"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49347",
"datePublished": "2026-06-12T11:54:07.695Z",
"dateReserved": "2026-05-29T14:35:45.903Z",
"dateUpdated": "2026-06-12T13:41:50.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48485 (GCVE-0-2026-48485)
Vulnerability from nvd – Published: 2026-06-12 11:53 – Updated: 2026-06-12 13:43
VLAI
Title
Quest Bot: Stored warn reasons can still trigger bot-powered mass mentions through `/warns`.
Summary
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/duck-organization/questbot/sec… | x_refsource_CONFIRM |
| https://github.com/duck-organization/questbot/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| duck-organization | questbot |
Affected:
< 1.1.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48485",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T13:43:14.500223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:43:22.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-xjm4-8ggw-8jwf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "questbot",
"vendor": "duck-organization",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T11:53:14.940Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/duck-organization/questbot/security/advisories/GHSA-xjm4-8ggw-8jwf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-xjm4-8ggw-8jwf"
},
{
"name": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6"
}
],
"source": {
"advisory": "GHSA-xjm4-8ggw-8jwf",
"discovery": "UNKNOWN"
},
"title": "Quest Bot: Stored warn reasons can still trigger bot-powered mass mentions through `/warns`."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48485",
"datePublished": "2026-06-12T11:53:14.940Z",
"dateReserved": "2026-05-21T15:33:08.291Z",
"dateUpdated": "2026-06-12T13:43:22.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47197 (GCVE-0-2026-47197)
Vulnerability from nvd – Published: 2026-06-12 11:52 – Updated: 2026-06-13 02:52
VLAI
Title
Quest Bot: Discord moderation role hierarchy bypass in ban, kick, mute, unmute, warn, and nickname commands
Summary
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/duck-organization/questbot/sec… | x_refsource_CONFIRM |
| https://github.com/duck-organization/questbot/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| duck-organization | questbot |
Affected:
< 1.1.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47197",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T02:51:28.842316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T02:52:59.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-qw95-583r-hrwp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "questbot",
"vendor": "duck-organization",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord\u2019s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T11:52:48.796Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/duck-organization/questbot/security/advisories/GHSA-qw95-583r-hrwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-qw95-583r-hrwp"
},
{
"name": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6"
}
],
"source": {
"advisory": "GHSA-qw95-583r-hrwp",
"discovery": "UNKNOWN"
},
"title": "Quest Bot: Discord moderation role hierarchy bypass in ban, kick, mute, unmute, warn, and nickname commands"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47197",
"datePublished": "2026-06-12T11:52:48.796Z",
"dateReserved": "2026-05-18T22:07:37.435Z",
"dateUpdated": "2026-06-13T02:52:59.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47196 (GCVE-0-2026-47196)
Vulnerability from nvd – Published: 2026-06-12 11:51 – Updated: 2026-06-12 15:00
VLAI
Title
Quest Bot: Empty automod rule causes every guild message to be deleted
Summary
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/duck-organization/questbot/sec… | x_refsource_CONFIRM |
| https://github.com/duck-organization/questbot/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| duck-organization | questbot |
Affected:
< 1.1.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47196",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:38:27.646921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:00:29.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-fgwg-6px5-cxp5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "questbot",
"vendor": "duck-organization",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(\"\"), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T11:51:35.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/duck-organization/questbot/security/advisories/GHSA-fgwg-6px5-cxp5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-fgwg-6px5-cxp5"
},
{
"name": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6"
}
],
"source": {
"advisory": "GHSA-fgwg-6px5-cxp5",
"discovery": "UNKNOWN"
},
"title": "Quest Bot: Empty automod rule causes every guild message to be deleted"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47196",
"datePublished": "2026-06-12T11:51:35.814Z",
"dateReserved": "2026-05-18T22:07:37.435Z",
"dateUpdated": "2026-06-12T15:00:29.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47195 (GCVE-0-2026-47195)
Vulnerability from nvd – Published: 2026-06-12 11:52 – Updated: 2026-06-12 12:26
VLAI
Title
Quest Bot: Per-channel permission overwrite bypass in purge and slowmode commands.
Summary
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/duck-organization/questbot/sec… | x_refsource_CONFIRM |
| https://github.com/duck-organization/questbot/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| duck-organization | questbot |
Affected:
< 1.1.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47195",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T12:25:56.524743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:26:16.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-2wf8-554w-hrj9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "questbot",
"vendor": "duck-organization",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member\u2019s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T11:52:01.245Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/duck-organization/questbot/security/advisories/GHSA-2wf8-554w-hrj9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-2wf8-554w-hrj9"
},
{
"name": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6"
}
],
"source": {
"advisory": "GHSA-2wf8-554w-hrj9",
"discovery": "UNKNOWN"
},
"title": "Quest Bot: Per-channel permission overwrite bypass in purge and slowmode commands."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47195",
"datePublished": "2026-06-12T11:52:01.245Z",
"dateReserved": "2026-05-18T22:07:37.435Z",
"dateUpdated": "2026-06-12T12:26:16.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49347 (GCVE-0-2026-49347)
Vulnerability from cvelistv5 – Published: 2026-06-12 11:54 – Updated: 2026-06-12 13:41
VLAI
Title
Quest Bot: Ticket creation has no per-user open-ticket limit or cooldown
Summary
Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/duck-organization/questbot/sec… | x_refsource_CONFIRM |
| https://github.com/duck-organization/questbot/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| duck-organization | questbot |
Affected:
< 1.1.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49347",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T13:41:37.941109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:41:50.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-r56q-v363-367q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "questbot",
"vendor": "duck-organization",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T11:54:07.695Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/duck-organization/questbot/security/advisories/GHSA-r56q-v363-367q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-r56q-v363-367q"
},
{
"name": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.8"
}
],
"source": {
"advisory": "GHSA-r56q-v363-367q",
"discovery": "UNKNOWN"
},
"title": "Quest Bot: Ticket creation has no per-user open-ticket limit or cooldown"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49347",
"datePublished": "2026-06-12T11:54:07.695Z",
"dateReserved": "2026-05-29T14:35:45.903Z",
"dateUpdated": "2026-06-12T13:41:50.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48485 (GCVE-0-2026-48485)
Vulnerability from cvelistv5 – Published: 2026-06-12 11:53 – Updated: 2026-06-12 13:43
VLAI
Title
Quest Bot: Stored warn reasons can still trigger bot-powered mass mentions through `/warns`.
Summary
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/duck-organization/questbot/sec… | x_refsource_CONFIRM |
| https://github.com/duck-organization/questbot/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| duck-organization | questbot |
Affected:
< 1.1.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48485",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T13:43:14.500223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:43:22.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-xjm4-8ggw-8jwf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "questbot",
"vendor": "duck-organization",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T11:53:14.940Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/duck-organization/questbot/security/advisories/GHSA-xjm4-8ggw-8jwf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-xjm4-8ggw-8jwf"
},
{
"name": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6"
}
],
"source": {
"advisory": "GHSA-xjm4-8ggw-8jwf",
"discovery": "UNKNOWN"
},
"title": "Quest Bot: Stored warn reasons can still trigger bot-powered mass mentions through `/warns`."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48485",
"datePublished": "2026-06-12T11:53:14.940Z",
"dateReserved": "2026-05-21T15:33:08.291Z",
"dateUpdated": "2026-06-12T13:43:22.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47197 (GCVE-0-2026-47197)
Vulnerability from cvelistv5 – Published: 2026-06-12 11:52 – Updated: 2026-06-13 02:52
VLAI
Title
Quest Bot: Discord moderation role hierarchy bypass in ban, kick, mute, unmute, warn, and nickname commands
Summary
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/duck-organization/questbot/sec… | x_refsource_CONFIRM |
| https://github.com/duck-organization/questbot/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| duck-organization | questbot |
Affected:
< 1.1.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47197",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T02:51:28.842316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T02:52:59.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-qw95-583r-hrwp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "questbot",
"vendor": "duck-organization",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord\u2019s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T11:52:48.796Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/duck-organization/questbot/security/advisories/GHSA-qw95-583r-hrwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-qw95-583r-hrwp"
},
{
"name": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6"
}
],
"source": {
"advisory": "GHSA-qw95-583r-hrwp",
"discovery": "UNKNOWN"
},
"title": "Quest Bot: Discord moderation role hierarchy bypass in ban, kick, mute, unmute, warn, and nickname commands"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47197",
"datePublished": "2026-06-12T11:52:48.796Z",
"dateReserved": "2026-05-18T22:07:37.435Z",
"dateUpdated": "2026-06-13T02:52:59.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47195 (GCVE-0-2026-47195)
Vulnerability from cvelistv5 – Published: 2026-06-12 11:52 – Updated: 2026-06-12 12:26
VLAI
Title
Quest Bot: Per-channel permission overwrite bypass in purge and slowmode commands.
Summary
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/duck-organization/questbot/sec… | x_refsource_CONFIRM |
| https://github.com/duck-organization/questbot/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| duck-organization | questbot |
Affected:
< 1.1.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47195",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T12:25:56.524743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:26:16.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-2wf8-554w-hrj9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "questbot",
"vendor": "duck-organization",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member\u2019s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T11:52:01.245Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/duck-organization/questbot/security/advisories/GHSA-2wf8-554w-hrj9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-2wf8-554w-hrj9"
},
{
"name": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6"
}
],
"source": {
"advisory": "GHSA-2wf8-554w-hrj9",
"discovery": "UNKNOWN"
},
"title": "Quest Bot: Per-channel permission overwrite bypass in purge and slowmode commands."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47195",
"datePublished": "2026-06-12T11:52:01.245Z",
"dateReserved": "2026-05-18T22:07:37.435Z",
"dateUpdated": "2026-06-12T12:26:16.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47196 (GCVE-0-2026-47196)
Vulnerability from cvelistv5 – Published: 2026-06-12 11:51 – Updated: 2026-06-12 15:00
VLAI
Title
Quest Bot: Empty automod rule causes every guild message to be deleted
Summary
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/duck-organization/questbot/sec… | x_refsource_CONFIRM |
| https://github.com/duck-organization/questbot/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| duck-organization | questbot |
Affected:
< 1.1.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47196",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:38:27.646921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:00:29.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-fgwg-6px5-cxp5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "questbot",
"vendor": "duck-organization",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(\"\"), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T11:51:35.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/duck-organization/questbot/security/advisories/GHSA-fgwg-6px5-cxp5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-fgwg-6px5-cxp5"
},
{
"name": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6"
}
],
"source": {
"advisory": "GHSA-fgwg-6px5-cxp5",
"discovery": "UNKNOWN"
},
"title": "Quest Bot: Empty automod rule causes every guild message to be deleted"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47196",
"datePublished": "2026-06-12T11:51:35.814Z",
"dateReserved": "2026-05-18T22:07:37.435Z",
"dateUpdated": "2026-06-12T15:00:29.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}