CVE-2026-47196: CWE-20: Improper Input Validation in duck-organization questbot
Quest Bot, an open-source Discord bot by duck-organization, has an input validation vulnerability prior to version 1.1.6. The automod add command trims user input but does not reject empty results, allowing rules with only whitespace to be stored as empty words. This causes the bot's message listener to always match messages and delete every non-bot guild message. The issue is patched in version 1.1.6.
AI Analysis
Technical Summary
CVE-2026-47196 describes an improper input validation vulnerability (CWE-20) in the Quest Bot Discord bot. Before version 1.1.6, the automod add command trims whitespace from user input but does not reject empty strings, resulting in rules that contain empty words. The message listener checks if message content includes an empty string, which always returns true, causing the bot to delete all non-bot messages in a guild. This behavior disrupts normal message flow and can cause denial of service in affected Discord servers. The vulnerability has been fixed in Quest Bot version 1.1.6.
Potential Impact
The vulnerability causes the bot to delete every non-bot message in a guild, effectively disrupting communication and causing denial of service for users relying on the bot. This impacts the availability of normal messaging functions in Discord servers using affected versions of Quest Bot.
Mitigation Recommendations
Upgrade Quest Bot to version 1.1.6 or later, where this input validation issue has been fixed. No other mitigation is indicated or required.
CVE-2026-47196: CWE-20: Improper Input Validation in duck-organization questbot
Description
Quest Bot, an open-source Discord bot by duck-organization, has an input validation vulnerability prior to version 1.1.6. The automod add command trims user input but does not reject empty results, allowing rules with only whitespace to be stored as empty words. This causes the bot's message listener to always match messages and delete every non-bot guild message. The issue is patched in version 1.1.6.
CVSS v4.0
Score 8.4high
Affected software
pkg:github/duck-organization/questbotRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47196 describes an improper input validation vulnerability (CWE-20) in the Quest Bot Discord bot. Before version 1.1.6, the automod add command trims whitespace from user input but does not reject empty strings, resulting in rules that contain empty words. The message listener checks if message content includes an empty string, which always returns true, causing the bot to delete all non-bot messages in a guild. This behavior disrupts normal message flow and can cause denial of service in affected Discord servers. The vulnerability has been fixed in Quest Bot version 1.1.6.
Potential Impact
The vulnerability causes the bot to delete every non-bot message in a guild, effectively disrupting communication and causing denial of service for users relying on the bot. This impacts the availability of normal messaging functions in Discord servers using affected versions of Quest Bot.
Mitigation Recommendations
Upgrade Quest Bot to version 1.1.6 or later, where this input validation issue has been fixed. No other mitigation is indicated or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T22:07:37.435Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2bfa79e617e2d83469ab16
Added to database: 6/12/2026, 12:24:25 PM
Last enriched: 6/12/2026, 12:39:23 PM
Last updated: 6/12/2026, 2:00:57 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.