CVE-2025-47948

Name of the Vulnerable Software and Affected Versions: Cocotais Bot versions 1.5.0-test2-hotfix through 1.6.2

Description: The issue allows unauthorized users to indirectly trigger privileged behavior by injecting special platform tags, potentially leading to spam, disruption, or abuse of notification systems. An unauthorized user can use the "/echo " command to cause the bot to send a message that mentions all members in the chat, bypassing any permission controls.

Recommendations: For versions 1.5.0-test2-hotfix through 1.6.2, update to version 1.6.2 to resolve the issue. As a temporary workaround, consider restricting access to the command echoing feature until the patch is applied. Avoid using the /echo command with special platform tags, such as <qqbot-at-everyone />, in the affected API endpoint until the issue is resolved.