WhatsApp has published a fresh security advisory detailing two vulnerabilities, tracked as CVE-2026-23863 and CVE-2026-23866, that affected different versions of its desktop and mobile apps.
The company said the flaws were addressed before public disclosure and that it has not seen evidence of exploitation in the wild.
Also Read | Fake Facebook blue tick scam hits 30,000 users, are you at risk?
WhatsApp remediates two key flaws: a file-type spoofing bug on Windows and a media URL validation error on mobile. Update now to block malicious attachments.#WhatsApp #CyberSecurity #PatchTuesday #InfoSec #MobileSecurity #WindowsUpdate #Meta #BugBountyhttps://t.co/cfCA2Z0bMV pic.twitter.com/uIk52nsP7L
— Gray Hats (@the_yellow_fall) May 4, 2026
File spoofing and media handling flaws
According to the advisory, CVE-2026-23863 affected WhatsApp for Windows prior to v2.3000.1032164386.258709.
It involved an attachment spoofing issue in which maliciously formatted documents with embedded NUL bytes in the filename could appear to be one type of file inside the app but run as an executable when opened.
The second issue, CVE-2026-23866, affected WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10. It stemmed from incomplete validation of AI-rich response messages for Instagram Reels and could have allowed a user to trigger processing of media content from an arbitrary URL on another userโs device, including OS-controlled custom URL scheme handlers.
Also Read | Social media ads could be scams, hereโs how to spot the warning signs
๐๐๐ญ๐ ๐ ๐ข๐ฑ๐๐ฌ ๐๐ฐ๐จ ๐๐๐ฐ ๐๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐ ๐ฅ๐๐ฐ๐ฌ ๐ข๐ง ๐๐ก๐๐ญ๐ฌ๐๐ฉ๐ฉ ๐๐ฉ๐๐๐ญ๐
— Analytics Insight (@analyticsinme) May 3, 2026
Meta Platforms patches two WhatsApp bugs ๐ that could have exposed users to hidden threats. No attacks reported, but updating your app is a must! Stay safe and secure ๐ฑ #WhatsAppโฆ pic.twitter.com/y2wW98EEgs
Bug bounty findings patched, users advised to update
Meta said the issues were reported through its bug bounty program, with the iOS and Android flaw credited to an external researcher and the Meta Security Team.
Both vulnerabilities were rated medium severity and patched via updates. The advisory page also urged users to keep WhatsApp updated, saying, โWe strongly encourage all users to ensure they keep their WhatsApp up-to-date.โ
The disclosure comes as Meta continues to push users toward timely app and operating system updates while reiterating that the advisory is meant to help researchers understand technical scenarios and does not imply users were impacted in the same way described in the CVE entries.
This development also reinforces a broader point: while encrypted messaging platforms like WhatsApp are generally considered more secure than traditional SMS services, they are not entirely risk-free.
