CVE-2026-22712
Improper Output Encoding in Mediawiki ApprovedRevs Enables Data Manipulation
Publication date: 2026-01-09
Last updated on: 2026-02-12
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikiworks | approved_revs | 1.39 |
| wikiworks | approved_revs | 1.43 |
| wikiworks | approved_revs | 1.44 |
| wikiworks | approved_revs | 1.45 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the MediaWiki ApprovedRevs extension occurs because the __APPROVEDREVS__ magic word replacement happens too late in the parsing process (ParserAfterTidy hook), after strip markers are removed. This timing allows user-supplied attribute values, such as inline CSS style attributes, to be manipulated without proper encoding or escaping. As a result, an attacker can inject malicious CSS that bypasses the inline CSS sanitizer, potentially triggering actions like making HTTP requests to external URLs. The root cause is unsafe replacement of the magic word inside inline CSS after sanitization steps have already been applied. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to inject malicious CSS into pages using the ApprovedRevs extension, bypassing the inline CSS sanitizer. This could lead to unintended behavior such as leaking information, triggering external requests, or manipulating the appearance and behavior of the website in ways not intended by administrators. Although the CVSS score is low (2.3), the impact includes potential input data manipulation and security bypasses that could affect site integrity and user trust. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your MediaWiki ApprovedRevs extension is performing magic word replacement at the ParserAfterTidy hook, which allows unsafe injection into inline CSS style attributes. Specifically, you can verify the version of the ApprovedRevs extension installed (versions 1.39, 1.43, 1.44, or 1.45 are affected). There is no direct network detection command provided, but you can inspect the extension code or logs for the use of the ParserAfterTidy hook for magic word replacement. Additionally, testing for CSS injection by attempting to inject inline CSS that triggers an external HTTP request (e.g., to https://http.cat/418) in a style attribute might confirm the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to update the ApprovedRevs extension to a fixed version where the magic word replacement hook has been changed from ParserAfterTidy to InternalParseBeforeLinks. This fix prevents unsafe replacement in style attributes by performing the replacement earlier in the parsing process. The patch has been merged into the master branch and backported to REL1_44 and REL1_45 branches. Applying these updates will resolve the vulnerability. [1]