MEDIUM 4.3
CVE-2026-23866
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected mobile apps
Vulnerable CPE configurations
| Vendor | Product | Platform | Versions | CPE 2.3 URI |
|---|---|---|---|---|
| Android | ≥2.25.8.0 ≤2.26.7.10 | cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:* | ||
| iOS | ≥2.25.8.0 ≤2.26.15.72 | cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:iphone_os:*:* |