CVE-2026-47172

216.73.216.233

· Published 11/06/2026 21:16 · Modified 11/06/2026 20:58 · Author: The MITRE Corporation

Labels: CVE-2026-47172 2026-06-11 CVE-2026-47172 CWE-829 [email protected]

Essential information

Published: 11/06/2026 21:16
Modified: 11/06/2026 20:58
Author: The MITRE Corporation
Creator: The MITRE Corporation
CVSS: 9.5 CRITICAL (v3) 9.5 CRITICAL (v4.0)
CISA KEV: No
CWE: CWE-829
CVSS vector: —

CVSS metrics

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks out the triggering workflow’s head_sha, builds that code into a Docker image, pushes it as latest, and triggers production deployment. If an attacker can open a pull request from a branch named main, the deploy workflow condition can treat the PR build as deployable and build the attacker-controlled commit in a privileged deployment context. This can result in malicious container deployment and production bot compromise. This issue has been patched in version 1.0.3.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
quest / quest bot	`cpe:2.3:a:quest:quest_bot:<1.0.3:::::::*`