CVE-2026-47171

Quest Bot: Reminder messages allow stored mass mentions through `@everyone` and `@here`

CVSS 8.8 HIGHEPSS 0.3%CWE-116

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.8EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When the reminder triggers, the bot sends the stored message back into the channel without suppressing mass mentions. If the bot has permission to mention everyone, the reminder can ping the entire server or channel later. This issue has been patched in version 1.0.3.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Affected products

duck-organization · quest-bot

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3 https://github.com/duck-organization/questbot/security/advisories/GHSA-vmgg-f3m4-6fcv