cbcvebase.

Duck-Organization Quest-Bot vulnerabilities

10 known vulnerabilities affecting duck-organization/quest-bot.

Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH4MEDIUM3LOW2

Vulnerabilities

Page 1 of 1
CVE-2026-47172P2CRITICALCVSS 9.5fixed in 1.0.32026-06-11
CVE-2026-47172 [CRITICAL] CWE-829 CVE-2026-47172: Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks out the triggering workflow’s head_sha, builds that cod
nvd
CVE-2026-47171P3HIGHCVSS 8.8fixed in 1.0.32026-06-11
CVE-2026-47171 [HIGH] CWE-116 CVE-2026-47171: Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When the reminder triggers, the bot sends the stored message back into the channel without suppressing mass mentions. If the bot has permission to mention every
nvd
CVE-2026-47189P3HIGHCVSS 8.3fixed in 1.0.52026-06-11
CVE-2026-47189 [HIGH] CWE-639 CVE-2026-47189: Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim guild’s AutoMod rule ID through autocomplete, then remov
nvd
CVE-2026-47169P3HIGHCVSS 7.5fixed in 1.0.32026-06-11
CVE-2026-47169 [HIGH] CWE-266 CVE-2026-47169: Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot’s highest
nvd
CVE-2026-47163P3HIGHCVSS 7.2fixed in 1.0.12026-06-11
CVE-2026-47163 [HIGH] CWE-862 CVE-2026-47163: Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission requirement and no runtime moderator permission check. An attacker can add a rule
nvd
CVE-2026-47173P3MEDIUMCVSS 6.3fixed in 1.0.32026-06-11
CVE-2026-47173 [MEDIUM] CWE-116 CVE-2026-47173: Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentio
nvd
CVE-2026-47176P4MEDIUMCVSS 5.7fixed in 1.0.42026-06-11
CVE-2026-47176 [MEDIUM] CWE-200 CVE-2026-47176: Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can enable logging and choose a logging channel they can read. The bot then logs deleted and edited message contents from every channel it can see, including private channels the configuring user can
nvd
CVE-2026-47177P4MEDIUMCVSS 5.7fixed in 1.0.42026-06-11
CVE-2026-47177 [MEDIUM] CWE-200 CVE-2026-47177: Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it to that configured transcript channel. This can expose
nvd
CVE-2026-47175P4LOWCVSS 2.3fixed in 1.0.42026-06-11
CVE-2026-47175 [LOW] CWE-116 CVE-2026-47175: Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to mention everyone can still make the bot send @everyone or @here if the bot has
nvd
CVE-2026-47188P4LOWCVSS 2.3fixed in 1.0.52026-06-11
CVE-2026-47188 [LOW] CWE-116 CVE-2026-47188: Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the latest release suppresses mentions in several moderation commands, but /unban and /unwarn still echo user-controlled reason text in public bot messages without allowedMentions. A moderator can use @everyone or @here in the reason and ma
nvd
Duck-Organization Quest-Bot vulnerabilities | cvebase