CVE-2025-26604

Name of the Vulnerable Software and Affected Versions: Discord-Bot-Framework-Kernel versions prior to commit f0d9e70841a0e3170b88c4f8d562018ccd8e8b14

Description: The issue allows users to execute potentially malicious code, which can be used to extract sensitive information or perform damage. By loading a module containing malicious code and running a command, an attacker can extract the bot token. This token can then be used to create a fake bot that acts as the real one, potentially giving the attacker full control if the bot has high privileges. The attacker can also load a blocking module to sabotage the bot, similar to a DDoS attack.

Recommendations: For versions prior to commit f0d9e70841a0e3170b88c4f8d562018ccd8e8b14, users are advised to upgrade to a newer version to resolve the issue. Users unable to upgrade may attempt to limit their Discord bot's access via configuration options. As a temporary workaround, consider restricting access to sensitive information and limiting the bot's privileges until a patch is available.