CVE-2026-47196 duck-organization CVE debrief

Who should care

Users of Quest Bot, specifically those who manage or interact with Discord servers that utilize the bot, should be aware of this vulnerability. The vulnerability could allow an attacker to disrupt communication in Discord guilds by causing the bot to delete messages.

Technical summary

The Quest Bot's automod add command does not properly handle empty input after trimming. This allows an attacker to create a rule with only whitespace, which the bot stores as an empty word. When the bot's message listener checks for content using content.includes(''), it always returns true, resulting in the bot deleting all non-bot messages in guilds.

Defensive priority

HIGH

Recommended defensive actions

• Update Quest Bot to version 1.1.6 or later to patch the vulnerability.
• Review and restrict automod commands to trusted users.
• Monitor bot activity and guild messages for unusual deletion patterns.

Evidence notes

The vulnerability was patched in version 1.1.6 of Quest Bot. References to the patched version and advisory can be found at [ref-4](https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6) and [ref-5](https://github.com/duck-organization/questbot/security/advisories/GHSA-fgwg-6px5-cxp5).

Official resources