CVE-2026-22712 - Vulnerability Details

- ApprovedRevs allows bypassing the inline CSS sanitizer

Description

Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.

Published: 2026-01-09

Score: 2.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Improper encoding through magic word replacement in the ParserAfterTidy step of the ApprovedRevs extension allows an attacker to inject malicious or unintended CSS into the page output. This bypasses the inline CSS sanitizer, potentially enabling style-based defacement, click‑jacking, or obscure XSS vectors. The weakness is classified under CWE‑116 for improper output encoding and has a CVSS score of 2.3, indicating low severity but the impact could still harm user experience or enable subtle content manipulation.

Affected Systems

The vulnerability affects the ApprovedRevs extension of MediaWiki produced by The Wikimedia Foundation. Versions 1.39, 1.43, 1.44, and 1.45 are vulnerable.

Risk and Exploitability

Because the CVSS is 2.3 and EPSS is less than 1%, the risk of exploitation is considered very low. The likely attack vector is content manipulation via magic words that the extension processes, which is inferred from the description. Since the issue involves output encoding, an attacker would need to inject crafted CSS through approved content or magic word processing to affect the rendering for users who view these pages. The vulnerability is not listed in CISA’s KEV catalog, further supporting its low exploitation likelihood.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

The Wikimedia Foundation

Mediawiki - ApprovedRevs Extension

unaffected

Version	Status	Constraints
`1.45`	affected	—
`1.44`	affected	—
`1.43`	affected	—
`1.39`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:wikiworks:approved_revs:1.39:::::mediawiki::
	cpe:2.3:a:wikiworks:approved_revs:1.43:::::mediawiki::
	cpe:2.3:a:wikiworks:approved_revs:1.44:::::mediawiki::
	cpe:2.3:a:wikiworks:approved_revs:1.45:::::mediawiki::

No data.

Vendor	Product	Confidence	Versions
Mediawiki	Mediawiki	—	—
Wikimedia	Mediawiki-approvedrevs Extension	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a fixed version of the ApprovedRevs extension that addresses the magic word replacement bug.
If an immediate upgrade is not possible, temporarily disable magic word usage in the MediaWiki configuration to prevent the injection vectors.
Audit existing approved pages for unexpected inline CSS and remove or sanitize any malicious styles discovered.
Implement stricter content sanitization for inline styles in MediaWiki to mitigate similar issues in the future.

Generated by OpenCVE AI on April 18, 2026 at 07:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://gerrit.wikimedia.org/r/q/Iee1bf1cbc8a519899e7f9dde508856bd4e5a5d2a
https://phabricator.wikimedia.org/T412068

History

Thu, 12 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wikiworks Wikiworks approved Revs
CPEs		cpe:2.3:a:wikiworks:approved_revs:1.39:::::mediawiki:: cpe:2.3:a:wikiworks:approved_revs:1.43:::::mediawiki:: cpe:2.3:a:wikiworks:approved_revs:1.44:::::mediawiki:: cpe:2.3:a:wikiworks:approved_revs:1.45:::::mediawiki::
Vendors & Products		Wikiworks Wikiworks approved Revs
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Fri, 09 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 09 Jan 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mediawiki Mediawiki mediawiki Wikimedia Wikimedia mediawiki-approvedrevs Extension
Vendors & Products		Mediawiki Mediawiki mediawiki Wikimedia Wikimedia mediawiki-approvedrevs Extension

Fri, 09 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.
Title		ApprovedRevs allows bypassing the inline CSS sanitizer
Weaknesses		CWE-116
References		https://gerrit.wikimedia.org/r/q/Iee1bf1cbc8a519899e7f9dde508856bd4e5a5d2a https://phabricator.wikimedia.org/T412068
Metrics		cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}`

Subscriptions

Mediawiki Mediawiki

Wikimedia Mediawiki-approvedrevs Extension

Wikiworks Approved Revs

MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published: 2026-01-09T00:06:22.430Z

Updated: 2026-01-09T19:15:28.083Z

Reserved: 2026-01-08T23:23:42.385Z

Link: CVE-2026-22712

Vulnrichment

Updated: 2026-01-09T19:15:25.619Z

NVD

Status : Analyzed

Published: 2026-01-09T00:15:45.837

Modified: 2026-02-12T17:50:28.073

Link: CVE-2026-22712

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses

CWE-116

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object