Due to a bug in Red's Core API, 3rd-party cogs using the @commands.can_manage_channel() command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any public 3rd-party cog utilizing this API at the time of writing …
Red Discord Bot has an unauthorized privilege escalation vulnerability in the Mod module. This vulnerability allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a specific condition that is beyond that user's control. By abusing this vulnerability, it is possible to perform destructive actions within the guild the user has high privileges in.
An RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module leaderboard command. By abusing this exploit it is possible to perform destructive actions and/or access sensitive information.
Red Discord Bot has a Remote Code Execution vulnerability in the Streams module. This exploit allows Discord users with specifically crafted "going live" messages to inject code into the Streams module's going live message. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. As a workaround, unloading the Trivia module with unload streams can render this exploit not accessible.