PatchSiren cyber security CVE debrief
CVE-2026-49347 duck-organization CVE debrief
CVE-2026-49347 is a vulnerability in Quest Bot, an open-source Discord Bot. Prior to version 1.1.8, the bot allowed any user with access to the ticket panel to repeatedly create new ticket channels without checking for existing open tickets or applying a cooldown. This issue has been patched in version 1.1.8.
- Vendor
- duck-organization
- Product
- questbot
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Quest Bot, specifically those with access to the ticket panel, should be aware of this vulnerability and ensure they are running version 1.1.8 or later to prevent unauthorized channel creation.
Technical summary
The vulnerability, with a CVSS score of 5.3 and a medium severity, allows for repeated creation of new ticket channels by any user with access to the ticket panel. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Quest Bot to version 1.1.8 or later to patch the vulnerability.
- Restrict access to the ticket panel to authorized users only.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4] and [ref-5].
Official resources
CVE-2026-49347 was published on 2026-06-12T13:16:34.030Z and modified on 2026-06-12T15:56:54.563Z.