PatchSiren cyber security CVE debrief
CVE-2026-47173 duck-organization CVE debrief
CVE-2026-47173 is a vulnerability in Quest Bot, an open-source modern Discord Bot. A normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions. If the bot has permission to use those mentions, the attacker can make the bot ping staff or everyone with access to the ticket channel. This issue has been patched in version 1.0.3.
- Vendor
- duck-organization
- Product
- quest-bot
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Users of Quest Bot prior to version 1.0.3, administrators of Discord servers using Quest Bot, and security teams monitoring for potential ping-based attacks.
Technical summary
The vulnerability allows unauthenticated users to create tickets with malicious mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions, potentially pinging staff or everyone with access to the channel.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Quest Bot to version 1.0.3 or later.
- Review and restrict bot permissions to prevent unnecessary mentions.
- Monitor ticket creation and bot activity for suspicious behavior.
Evidence notes
CVE-2026-47173 has a CVSS score of 6.3 and is classified as MEDIUM severity. The vulnerability was published on 2026-06-11T19:16:45.403Z and modified on 2026-06-12T15:16:28.670Z.
Official resources
CVE-2026-47173 was published on 2026-06-11T19:16:45.403Z and modified on 2026-06-12T15:16:28.670Z.