CVE-2026-22712

🗓️ 09 Jan 2026 00:06:22Reported by wikimedia-foundationType

CVE-2026-22712: ApprovedRevs bypasses the inline CSS sanitizer via magic word replacement in ParserAfterTidy.

Reporter	Title	Published	Views	Family All 8
Circl	CVE-2026-22712	9 Jan 202601:29	–	circl
CNNVD	Mediawiki - ApprovedRevs Extension 安全漏洞	9 Jan 202600:00	–	cnnvd
Cvelist	CVE-2026-22712 ApprovedRevs allows bypassing the inline CSS sanitizer	9 Jan 202600:06	–	cvelist
EUVD	EUVD-2026-1819	9 Jan 202600:06	–	euvd
NVD	CVE-2026-22712	9 Jan 202600:15	–	nvd
Positive Technologies	PT-2026-2257	9 Jan 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-22712	10 Jan 202605:41	–	redhatcve
Vulnrichment	CVE-2026-22712 ApprovedRevs allows bypassing the inline CSS sanitizer	9 Jan 202600:06	–	vulnrichment

NVD

Node

wikiworks approved_revsMatch1.39mediawiki

wikiworks approved_revsMatch1.43mediawiki

wikiworks approved_revsMatch1.44mediawiki

wikiworks approved_revsMatch1.45mediawiki

[
  {
    "defaultStatus": "unaffected",
    "product": "Mediawiki - ApprovedRevs Extension",
    "vendor": "The Wikimedia Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "1.45"
      },
      {
        "status": "affected",
        "version": "1.44"
      },
      {
        "status": "affected",
        "version": "1.43"
      },
      {
        "status": "affected",
        "version": "1.39"
      }
    ]
  }
]

Source	Link
gerrit	www.gerrit.wikimedia.org/r/q/Iee1bf1cbc8a519899e7f9dde508856bd4e5a5d2a
phabricator	www.phabricator.wikimedia.org/T412068

12 Feb 2026 17:50Current

6.5Medium risk

Vulners AI Score6.5

CVSS 3.14.3

CVSS 42.3

EPSS0.00018

SSVC

CWE-116