CVE-2026-47177

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it to that configured transcript channel. This can expose private ticket messages to users who could not read the original ticket channel. This issue has been patched in version 1.0.4.

CVSS

No CVSS.

References

Link	Resource
https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4
https://github.com/duck-organization/questbot/security/advisories/GHSA-4rpv-95pj-6ccg
https://github.com/duck-organization/questbot/security/advisories/GHSA-4rpv-95pj-6ccg

Configurations

No configuration.

History

11 Jun 2026, 20:16

Type	Values Removed	Values Added
References	~~() https://github.com/duck-organization/questbot/security/advisories/GHSA-4rpv-95pj-6ccg -~~	() https://github.com/duck-organization/questbot/security/advisories/GHSA-4rpv-95pj-6ccg -

11 Jun 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-11 19:16

Updated : 2026-06-11 20:58

NVD link : CVE-2026-47177

Mitre link : CVE-2026-47177

CVE.ORG link : CVE-2026-47177

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2026-47177", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-06-11T19:16:46.047", "references": [{"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4", "source": "security-advisories@github.com"}, {"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-4rpv-95pj-6ccg", "source": "security-advisories@github.com"}, {"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-4rpv-95pj-6ccg", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it to that configured transcript channel. This can expose private ticket messages to users who could not read the original ticket channel. This issue has been patched in version 1.0.4."}], "lastModified": "2026-06-11T20:58:18.123", "sourceIdentifier": "security-advisories@github.com"}