CVE-2026-23866 PUBLISHED

Assigner: Meta
Reserved: 16.01.2026 Published: 01.05.2026 Updated: 01.05.2026

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Facebook
Product	WhatsApp for Android
Versions	Default: unaffected affected from 2.25.8.0 to 2.26.7.10 (excl.)

Vendor	Facebook
Product	WhatsApp for iOS
Versions	Default: unaffected affected from 2.25.8.0 to 2.26.15.72 (excl.)

References

Problem Types

Improper Verification of Source of a Communication Channel (CWE-940)