CVE-2026-48485: CWE-116: Improper Encoding or Escaping of Output in duck-organization questbot
Quest Bot, an open-source Discord bot by duck-organization, had a vulnerability prior to version 1.1.6 where stored warning reasons containing mentions like @everyone or @here were output without mention suppression. This allowed moderators to cause mass pings when the bot displayed these reasons via the /warns command. The issue was fixed in version 1.1.6.
AI Analysis
Technical Summary
CVE-2026-48485 describes an improper encoding or escaping of output (CWE-116) in the Quest Bot Discord bot. Before version 1.1.6, while the bot suppressed mentions in certain commands, it did not suppress mentions stored in warning reasons when outputting them with the /warns command. This allowed a moderator with permission to create a warning containing mass-mention tags (@everyone, @here) that the bot would later output, triggering mass pings. The vulnerability was patched in version 1.1.6.
Potential Impact
The vulnerability can cause unwanted mass mentions in Discord channels when the bot outputs stored warning reasons containing mention tags. This can lead to user annoyance and potential disruption in Discord communities. The CVSS score is low (2.1), indicating limited impact and requiring high privileges (moderator) to exploit.
Mitigation Recommendations
Upgrade Quest Bot to version 1.1.6 or later, where mention suppression in warning reasons output has been implemented. No other mitigation is necessary as the issue is fixed in this version.
CVE-2026-48485: CWE-116: Improper Encoding or Escaping of Output in duck-organization questbot
Description
Quest Bot, an open-source Discord bot by duck-organization, had a vulnerability prior to version 1.1.6 where stored warning reasons containing mentions like @everyone or @here were output without mention suppression. This allowed moderators to cause mass pings when the bot displayed these reasons via the /warns command. The issue was fixed in version 1.1.6.
CVSS v4.0
Score 2.1low
Affected software
pkg:github/duck-organization/questbotRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48485 describes an improper encoding or escaping of output (CWE-116) in the Quest Bot Discord bot. Before version 1.1.6, while the bot suppressed mentions in certain commands, it did not suppress mentions stored in warning reasons when outputting them with the /warns command. This allowed a moderator with permission to create a warning containing mass-mention tags (@everyone, @here) that the bot would later output, triggering mass pings. The vulnerability was patched in version 1.1.6.
Potential Impact
The vulnerability can cause unwanted mass mentions in Discord channels when the bot outputs stored warning reasons containing mention tags. This can lead to user annoyance and potential disruption in Discord communities. The CVSS score is low (2.1), indicating limited impact and requiring high privileges (moderator) to exploit.
Mitigation Recommendations
Upgrade Quest Bot to version 1.1.6 or later, where mention suppression in warning reasons output has been implemented. No other mitigation is necessary as the issue is fixed in this version.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-21T15:33:08.291Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2bfa79e617e2d83469ab1e
Added to database: 6/12/2026, 12:24:25 PM
Last enriched: 6/12/2026, 12:39:37 PM
Last updated: 6/12/2026, 2:14:41 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.