πŸ” CVE Alert

CVE-2026-23866

MEDIUM 4.3
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.

Vendor facebook
Product whatsapp for android
Published May 1, 2026
Last Updated May 1, 2026
Stay Ahead of the Next One

Get instant alerts for facebook whatsapp for android

Be the first to know when new medium vulnerabilities affecting facebook whatsapp for android are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

Facebook / WhatsApp for Android
2.25.8.0 < 2.26.7.10
Facebook / WhatsApp for iOS
2.25.8.0 < 2.26.15.72

References

NVD β†— CVE.org β†— EPSS Data β†—
facebook.com: https://www.facebook.com/security/advisories/cve-2026-23866 whatsapp.com: https://www.whatsapp.com/security/advisories/2026