CVE-2026-22712 LOW

CVE-2026-22712: ApprovedRevs allows bypassing the inline CSS sanitizer

Vendor The Wikimedia Foundation
Product Mediawiki - ApprovedRevs Extension
Weakness CWE-116
Published January 9, 2026
Last update January 9, 2026

CVSS base score

2.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.

Key dates

02Disclosure timeline

January 9, 2026 CVE published
January 9, 2026 Record updated