CVE DATABASE / CVE-2026-23866
CVE-2026-23866
CVSS 4.3 · MEDIUM
Summary
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
CVSS 3.1 breakdown
| Base score | 4.3 (MEDIUM) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | LOW |
| Integrity | NONE |
| Availability | NONE |
Weakness type (CWE)
Affected products
Whatsapp whatsapp
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
Our coverage
References
- https://www.facebook.com/security/advisories/cve-2026-23866
- https://www.whatsapp.com/security/advisories/2026
Data: NIST NVD. NVD last modified 2026-05-11. Always verify against the vendor advisory before acting.