{"id":"PYSEC-2020-265","details":"In Red Discord Bot before version 3.3.11, a RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module's leaderboard command. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. This critical exploit has been fixed on version 3.3.11.","aliases":["CVE-2020-15140","GHSA-55j9-849x-26h4"],"modified":"2026-02-22T22:49:33.778985Z","published":"2020-08-21T17:15:00Z","references":[{"type":"WEB","url":"https://github.com/Cog-Creators/Red-DiscordBot/pull/4175/commits/9ab536235bafc2b42c3c17d7ce26f1cc64482a81"},{"type":"ADVISORY","url":"https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-55j9-849x-26h4"}],"affected":[{"package":{"name":"red-discordbot","ecosystem":"PyPI","purl":"pkg:pypi/red-discordbot"},"ranges":[{"type":"GIT","repo":"https://github.com/Cog-Creators/Red-DiscordBot","events":[{"introduced":"0"},{"fixed":"9ab536235bafc2b42c3c17d7ce26f1cc64482a81"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3.11"}]}],"versions":["3.0.0","3.0.0b16","3.0.0b17","3.0.0b18","3.0.0b19","3.0.0b20","3.0.0b21","3.0.0rc1","3.0.0rc1.post1","3.0.0rc2","3.0.0rc3","3.0.0rc3.post1","3.0.1","3.0.2","3.1.0","3.1.1","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","3.2.0","3.2.1","3.2.2","3.2.3","3.3.0","3.3.1","3.3.10","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7","3.3.8","3.3.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/red-discordbot/PYSEC-2020-265.yaml"}}],"schema_version":"1.7.3"}