PatchSiren cyber security CVE debrief
CVE-2026-47175 duck-organization CVE debrief
CVE-2026-47175 is a low-severity vulnerability in Quest Bot, an open-source Discord bot. The bot echoes user-controlled reason text in public replies without disabling mention parsing. This allows a moderator without permission to mention everyone to make the bot send @everyone or @here if the bot has that permission. The issue was patched in version 1.0.4.
- Vendor
- duck-organization
- Product
- quest-bot
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-13
Who should care
Users of Quest Bot, particularly moderators and administrators of Discord servers using the bot, should be aware of this vulnerability. Although the CVSS score is low (2.3), it's essential to update to version 1.0.4 to prevent potential issues.
Technical summary
The vulnerability exists in the moderation commands of Quest Bot. Prior to version 1.0.4, the bot echoes user-controlled reason text in public replies without disabling mention parsing. This allows a moderator without the permission to mention everyone to still make the bot send @everyone or @here if the bot has that permission.
Defensive priority
Low
Recommended defensive actions
- Update Quest Bot to version 1.0.4 or later.
- Review moderation commands and permissions to ensure proper configuration.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. References to the patched version and security advisory are available.
Official resources
CVE-2026-47175 was published on 2026-06-11T19:16:45.730Z and modified on 2026-06-13T03:16:21.127Z.