CVE-2026-23866
Improper URL Handling in WhatsApp for iOS and Android
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: Facebook, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 2.26.15.72 | ||
| 2.26.7.10 | ||
| From 2.25.8.0 (inc) to 2.26.15.72 (inc) | ||
| From 2.25.8.0 (inc) to 2.26.7.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-940 | The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves incomplete validation of AI rich response messages for Instagram Reels within certain versions of WhatsApp for iOS and Android. Specifically, it could allow a user to trigger the processing of media content from an arbitrary URL on another user's device. This includes the ability to trigger operating system-controlled custom URL scheme handlers.
How can this vulnerability impact me? :
The vulnerability could allow an attacker to cause a victim's device to process media content from arbitrary URLs, potentially leading to unintended actions or exposure to malicious content. This could include triggering OS-level handlers that might execute certain functions or open other applications. However, there is no evidence that this vulnerability has been exploited in the wild.