See https://integration.wikimedia.org/ci/job/mwext-php72-phan-docker/91675/console
includes/specials/SpecialMultiLock.php:344 SecurityCheck-XSS Calling method \OutputPage::addHTML() in \SpecialMultiLock::showUserTable that outputs using tainted argument #1 ($rowtext). (Caused by: Builtin-\OutputPage::addHTML)