CVE-2026-23863

MEDIUM 6.5

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild.

Vendor	facebook
Product	whatsapp desktop for windows
Published	May 1, 2026
Last Updated	May 1, 2026

Stay Ahead of the Next One

Get instant alerts for facebook whatsapp desktop for windows

Be the first to know when new medium vulnerabilities affecting facebook whatsapp desktop for windows are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:F/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Facebook / WhatsApp Desktop for Windows

2.3000.*.252500 < 2.3000.1032164386.258709

References

NVD ↗ CVE.org ↗ EPSS Data ↗

facebook.com: https://www.facebook.com/security/advisories/cve-2026-23863 whatsapp.com: https://www.whatsapp.com/security/advisories/2026