{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T14:25:58.860","vulnerabilities":[{"cve":{"id":"CVE-2025-47948","sourceIdentifier":"security-advisories@github.com","published":"2025-05-17T19:15:46.667","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Cocotais Bot is a QQ official robot framework based on qq-bot-sdk. Starting in version 1.5.0-test2-hotfix and prior to version 1.6.2, command echoing feature in the framework allows users to indirectly trigger privileged behavior by injecting special platform tags. Specifically, an unauthorized user can use the `/echo <qqbot-at-everyone />` command to cause the bot to send a message that mentions all members in the chat, bypassing any permission controls. This can lead to spam, disruption, or abuse of notification systems. Version 1.6.2 contains a patch for the issue."},{"lang":"es","value":"Cocotais Bot es un framework oficial de QQ basado en qq-bot-sdk. A partir de la versión 1.5.0-test2-hotfix y anteriores a la 1.6.2, la función de eco de comandos del framework permite a los usuarios activar indirectamente comportamientos privilegiados mediante la inyección de etiquetas especiales de la plataforma. En concreto, un usuario no autorizado puede usar el comando `/echo ` para que el bot envíe un mensaje que mencione a todos los miembros del chat, omitiendo así cualquier control de permisos. Esto puede generar spam, interrupciones o abuso de los sistemas de notificación. La versión 1.6.2 incluye un parche para este problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-74"}]}],"references":[{"url":"https://github.com/cocotais/cocotais-bot/commit/d1cf01a9a41b3131241d1833444b890c8d6e70b8","source":"security-advisories@github.com"},{"url":"https://github.com/cocotais/cocotais-bot/security/advisories/GHSA-mj2c-8hxf-ffvq","source":"security-advisories@github.com"},{"url":"https://github.com/cocotais/cocotais-bot/security/advisories/GHSA-mj2c-8hxf-ffvq","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}]}