Meta-owned WhatsApp has revealed two new security advisories describing vulnerabilities that had been patched earlier this yr within the fashionable messaging app.
One of many vulnerabilities is CVE-2026-23863, a medium-impact attachment spoofing challenge affecting WhatsApp for Home windows previous to model 2.3000.1032164386.258709.
An attacker might have exploited the flaw to create a maliciously formatted doc with embedded NUL bytes within the file title. When despatched as an attachment, the recipient would see it as a innocent file, however it will run as an executable when opened, WhatsApp’s advisory explains.
The second vulnerability, CVE-2026-23866, has additionally been assigned a ‘medium impression’ ranking. It impacts WhatsApp for iOS (v2.25.8.0-v2.26.15.72) and WhatsApp for Android (v2.25.8.0-v2.26.7.10).
In response to WhatsApp, incomplete validation of AI wealthy response messages for Instagram Reels might have allowed an attacker to “set off processing of media content material from an arbitrary URL on one other consumer’s gadget, together with triggering OS-controlled customized URL scheme handlers.”
WhatsApp has not shared further info, however such customized URL scheme vulnerabilities in real-world assault situations might enable risk actors to redirect customers to phishing websites, and launch different apps and providers on the gadget through URL schemes comparable to facetime:, tel:, itms-apps:, or customized app deep hyperlinks.
WhatsApp stated each vulnerabilities had been responsibly disclosed by unnamed researchers by way of the Meta bug bounty program.
The corporate says there isn’t any proof of exploitation within the wild.
