CVE-2026-23866
published 2026-05-01CVE-2026-23866: Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to…
PriorityP426medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.46%
36.8th percentile
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| whatsapp_for_android | >= 2.25.8.0 < 2.26.7.10 | 2.26.7.10 | |
| whatsapp_for_ios | >= 2.25.8.0 < 2.26.15.72 | 2.26.15.72 | |
| 2.25.8.0 – 2.26.7.10 | — | ||
| 2.25.8.0 – 2.26.15.72 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4x7f-p792-g362: Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2
ghsa_unreviewed·2026-05-01
CVE-2026-23866 [MEDIUM] CWE-940 GHSA-4x7f-p792-g362: Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
VulDB
Facebook WhatsApp on iOS/Android verification of source
vuldb·2026-05-01·CVSS 4.3
CVE-2026-23866 [MEDIUM] Facebook WhatsApp on iOS/Android verification of source
A vulnerability classified as problematic was found in Facebook WhatsApp on iOS/Android. The impacted element is an unknown function. Such manipulation leads to improper verification of source of a communication channel.
This vulnerability is uniquely identified as CVE-2026-23866. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
2026-05-01
Published