CVE-2026-49347
MEDIUMQuest Bot: Ticket creation has no per-user open-ticket limit or cooldown
Title source: cnaDescription
Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/duck-organization/questbot/security/advisories/GHSA-r56q-v363-367q
X_Refsource_Misc x_refsource_misc
https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.8
Scores
CVSS v4
5.3
EPSS
0.0024
EPSS Percentile
14.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (1)
duck-organization/questbot
< 1.1.8
Published
Jun 12, 2026
Tracked Since
Jun 12, 2026