cvedb.io
CVE-2026-23866
MEDIUM · CVSS 4.3
EPSS exploitation probability: 0%
Published 2026-05-01T16:16:29.980 · Last modified 2026-06-17T10:22:13.670

Summary

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.

Affected products

whatsapp — whatsapp

Does this affect you?

Add your gear to cvedb and we'll alert you only when whatsapp ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.