CVE-2026-22712

Published: Jan 9, 2026Modified: Feb 12, 2026

2.3

Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc (Secondary)

Description

Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.

Affected (4)

Products: Wikiworks: Approved Revs

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Wikiworks Approved Revs	Version 1.39
Wikiworks Approved Revs	Version 1.43
Wikiworks Approved Revs	Version 1.44
Wikiworks Approved Revs	Version 1.45

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (3)

https://gerrit.wikimedia.org/r/q/Iee1bf1cbc8a519899e7f9dde508856bd4e5a5d2a

Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc

Patch

https://phabricator.wikimedia.org/T412068

Source: c4f26cc8-17ff-4c99-b5e2-38fc1793eacc

ExploitIssue Tracking

https://phabricator.wikimedia.org/T412068

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitIssue Tracking

Timeline

No history available yet.