PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48485 duck-organization CVE debrief

CVE-2026-48485 is a low-severity vulnerability in Quest Bot, an open-source Discord Bot. Prior to version 1.1.6, the bot suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. This allows a moderator to create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. The vulnerability has been patched in version 1.1.6.

Vendor
duck-organization
Product
questbot
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-12
Original CVE updated
2026-06-12
Advisory published
2026-06-12
Advisory updated
2026-06-12

Who should care

Users of Quest Bot, particularly moderators and administrators of Discord servers that use the bot, should be aware of this vulnerability and ensure they are running version 1.1.6 or later to prevent potential mass pings.

Technical summary

The vulnerability exists due to the bot's failure to suppress mentions in stored warning reasons when output through the /warns command. This allows for potential mass pings via @everyone or @here in warning reasons.

Defensive priority

Low

Recommended defensive actions

  • Update Quest Bot to version 1.1.6 or later to patch the vulnerability.
  • Review and update warning reasons to prevent potential mass pings.
  • Ensure moderators and administrators are aware of the vulnerability and its potential impact.

Evidence notes

The vulnerability was patched in version 1.1.6 of Quest Bot. References to the patched version and security advisories can be found at [ref-4](https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6) and [ref-5](https://github.com/duck-organization/questbot/security/advisories/GHSA-xjm4-8ggw-8jwf).

Official resources

CVE-2026-48485 was published on 2026-06-12T13:16:33.820Z and modified on 2026-06-12T15:56:54.563Z.