PatchSiren cyber security CVE debrief
CVE-2026-47188 duck-organization CVE debrief
CVE-2026-47188 is a low-severity vulnerability in Quest Bot, a Discord bot, that allows moderators to send mass pings using the /unban and /unwarn commands. The vulnerability exists because the bot echoes user-controlled reason text in public bot messages without properly handling allowedMentions. This allows a moderator to use @everyone or @here in the reason and make the bot send a mass ping. The issue was patched in version 1.0.5 of Quest Bot.
- Vendor
- duck-organization
- Product
- quest-bot
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-13
Who should care
Users of Quest Bot, specifically moderators who use the /unban and /unwarn commands, should be aware of this vulnerability and ensure they are running version 1.0.5 or later to prevent mass pings.
Technical summary
CVE-2026-47188 is a low-severity vulnerability with a CVSS score of 2.3. It exists in Quest Bot versions prior to 1.0.5. The vulnerability allows moderators to send mass pings using the /unban and /unwarn commands. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
Low
Recommended defensive actions
- Update Quest Bot to version 1.0.5 or later to prevent mass pings.
- Moderators should exercise caution when using the /unban and /unwarn commands with user-controlled reason text.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found in the source item at [source-item] and in the source references at [ref-4] and [ref-5].
Official resources
CVE-2026-47188 was published on 2026-06-11T19:16:46.460Z and modified on 2026-06-13T03:16:21.250Z.