CVE-2026-47171
HIGHQuest Bot: Reminder messages allow stored mass mentions through `@everyone` and `@here`
Title source: cnaDescription
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When the reminder triggers, the bot sends the stored message back into the channel without suppressing mass mentions. If the bot has permission to mention everyone, the reminder can ping the entire server or channel later. This issue has been patched in version 1.0.3.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/duck-organization/questbot/security/advisories/GHSA-vmgg-f3m4-6fcv
X_Refsource_Misc x_refsource_misc
https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3
Scores
CVSS v4
8.8
EPSS
0.0032
EPSS Percentile
23.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-116
Status
published
Products (1)
duck-organization/quest-bot
< 1.0.3
Published
Jun 11, 2026
Tracked Since
Jun 12, 2026