CVE-2026-47196 HIGH

CVE-2026-47196: Quest Bot: Empty automod rule causes every guild message to be deleted

Vendor Duck-Organization

Product questbot

Weakness CWE-20 · Input validation

Published June 12, 2026

Last update June 12, 2026

View on NVD All CVEs

CVSS base score

8.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H

What the vulnerability does

01Description

Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6.

Key dates

02Disclosure timeline

June 12, 2026 CVE published

June 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-47196 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2026-47196: Quest Bot: Empty automod rule causes every guild message to be deleted

01Description

02Disclosure timeline

03References

04Related CVE