META-OWNED WhatsApp has published two security advisories describing vulnerabilities that were patched earlier this year in the messaging app. One is CVE-2026-23863, a medium‑impact attachment spoofing issue affecting WhatsApp for Windows prior to version 2.3000.1032164386.258709, where a maliciously formatted document could contain embedded NUL bytes in the file name and run as an executable when opened.
The second, CVE-2026-23866, also carries a medium impact rating and affects WhatsApp for iOS (v2.25.8.0–v2.26.15.72) and Android (v2.25.8.0–v2.26.7.10). According to WhatsApp, incomplete validation of AI rich response messages for Instagram Reels could have allowed an attacker to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS‑controlled custom URL scheme handlers.
WhatsApp said both vulnerabilities were responsibly disclosed by unnamed researchers through the Meta bug bounty program, and there is no evidence of exploitation in the wild.