CVE-2026-47163

Quest Bot: Unprivileged users can create and remove AutoMod rules.

CVSS 7.2 HIGHEPSS 0.2%CWE-862

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.2EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

11 jun 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission requirement and no runtime moderator permission check. An attacker can add a rule matching common text and make the bot delete other users’ messages. This issue has been patched in version 1.0.1.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Productos afectados

duck-organization · quest-bot

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.1 https://github.com/duck-organization/questbot/security/advisories/GHSA-rphh-4h68-qr3j