CVE-2026-22712
Unknown Unknown - Not Provided
Improper Output Encoding in Mediawiki ApprovedRevs Enables Data Manipulation

Publication date: 2026-01-09

Last updated on: 2026-02-12

Assigner: wikimedia-foundation

Description
Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-01-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22712
EUVD
EUVD-2026-1819
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
wikiworks approved_revs 1.39
wikiworks approved_revs 1.43
wikiworks approved_revs 1.44
wikiworks approved_revs 1.45
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the MediaWiki ApprovedRevs extension occurs because the __APPROVEDREVS__ magic word replacement happens too late in the parsing process (ParserAfterTidy hook), after strip markers are removed. This timing allows user-supplied attribute values, such as inline CSS style attributes, to be manipulated without proper encoding or escaping. As a result, an attacker can inject malicious CSS that bypasses the inline CSS sanitizer, potentially triggering actions like making HTTP requests to external URLs. The root cause is unsafe replacement of the magic word inside inline CSS after sanitization steps have already been applied. [1]

Impact Analysis

This vulnerability can allow an attacker to inject malicious CSS into pages using the ApprovedRevs extension, bypassing the inline CSS sanitizer. This could lead to unintended behavior such as leaking information, triggering external requests, or manipulating the appearance and behavior of the website in ways not intended by administrators. Although the CVSS score is low (2.3), the impact includes potential input data manipulation and security bypasses that could affect site integrity and user trust. [1]

Detection Guidance

This vulnerability can be detected by checking if your MediaWiki ApprovedRevs extension is performing magic word replacement at the ParserAfterTidy hook, which allows unsafe injection into inline CSS style attributes. Specifically, you can verify the version of the ApprovedRevs extension installed (versions 1.39, 1.43, 1.44, or 1.45 are affected). There is no direct network detection command provided, but you can inspect the extension code or logs for the use of the ParserAfterTidy hook for magic word replacement. Additionally, testing for CSS injection by attempting to inject inline CSS that triggers an external HTTP request (e.g., to https://http.cat/418) in a style attribute might confirm the vulnerability. [1]

Mitigation Strategies

The immediate mitigation is to update the ApprovedRevs extension to a fixed version where the magic word replacement hook has been changed from ParserAfterTidy to InternalParseBeforeLinks. This fix prevents unsafe replacement in style attributes by performing the replacement earlier in the parsing process. The patch has been merged into the master branch and backported to REL1_44 and REL1_45 branches. Applying these updates will resolve the vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22712. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart