Meta Patches WhatsApp Flaws Enabling Malicious URL Handling and Windows File Spoofing
Meta disclosed and patched two WhatsApp vulnerabilities affecting iOS, Android, and Windows, including CVE-2026-23866, which allowed attackers to abuse Instagram Reels integration and incomplete validation of AI-rich response messages to make victim devices process media from attacker-controlled URLs. The flaw could potentially trigger OS-level custom URL scheme handlers without user consent, creating opportunities for phishing, tracking, malware delivery, and other social-engineering attacks through seemingly legitimate WhatsApp content.
Meta also fixed CVE-2026-23863, a WhatsApp for Windows filename spoofing issue caused by embedded NUL bytes that could make executable files appear to be benign documents and require only a single user click to exploit. The company said both bugs were reported through its bug bounty program and that it had no evidence of active exploitation at disclosure, while urging users to update WhatsApp from official sources and advising organizations to verify Windows clients are patched and include messaging apps in enterprise attack-surface management.
Timeline
May 5, 2026
Meta urges users and enterprises to update affected WhatsApp versions
Following disclosure of the patched flaws, Meta advised users to update WhatsApp through official channels and recommended that organizations enforce app update policies and verify Windows clients are running fixed versions. The guidance highlighted risks including phishing, malware delivery, tracking, and social engineering if systems remain unpatched.
May 5, 2026
Meta patches two WhatsApp vulnerabilities disclosed via bug bounty
Meta disclosed and patched CVE-2026-23866, affecting WhatsApp on iOS and Android via Instagram Reels rich response handling, and CVE-2026-23863, affecting WhatsApp for Windows through filename spoofing with embedded NUL bytes. Meta said both flaws were reported through its Bug Bounty Program and that it had found no evidence of active exploitation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
WhatsApp Vulnerabilities and Malware Targeting User Privacy and Security
A recently discovered vulnerability in WhatsApp allowed researchers to enumerate up to 3.5 billion active accounts by exploiting the app's contact syncing feature. This flaw, responsibly disclosed by researchers at the University of Vienna and subsequently patched by Meta, could have enabled malicious actors to build massive databases of phone numbers linked to WhatsApp, along with associated profile photos and "About" texts. While there is no evidence the vulnerability was exploited in the wild, the incident highlights the risks posed by convenience features and the critical importance of protecting phone numbers as sensitive personal data. In addition to this privacy risk, WhatsApp users are being targeted by a new Android malware that propagates itself through the platform. The malware automatically replies to incoming WhatsApp messages with malicious links, leveraging the trust users place in their contacts to spread further. This attack exploits the phenomenon of "context collapse," where users' social boundaries blur on messaging platforms, making them more susceptible to social engineering. These developments underscore the growing threat landscape facing WhatsApp users, combining both technical vulnerabilities and sophisticated social attacks.
1 months ago
WhatsApp Contact Discovery Flaw Exposes Billions of Phone Numbers
A group of Austrian researchers demonstrated that WhatsApp's contact discovery feature could be abused to enumerate and extract the phone numbers of 3.5 billion users globally. By automating the process of checking every possible phone number through WhatsApp’s browser-based app, the researchers were able to access not only phone numbers but also profile photos for 57% of users and profile text for 29%. This large-scale data exposure was possible because Meta, WhatsApp’s parent company, did not sufficiently limit the speed or volume of contact discovery requests, despite prior warnings about this vulnerability. In response to this and other security concerns, Meta has expanded its bug bounty initiatives, launching the WhatsApp Research Proxy tool to facilitate deeper research into WhatsApp’s network protocol and platform abuse. The company also reported adding new anti-scraping protections to WhatsApp after the enumeration technique was disclosed. Meta highlighted its ongoing investment in security, noting over $4 million in bug bounties paid out in the past year and the patching of several notable vulnerabilities, including CVE-2025-59489 affecting Quest devices.
1 months ago
OneUptime Flaws Enabled Forged WhatsApp Webhooks and Probe Command Execution
Two high-severity vulnerabilities were disclosed in **OneUptime**, an open-source monitoring and observability platform, affecting webhook handling and synthetic monitoring. **CVE-2026-33143** impacts versions before `10.0.34` and stems from missing verification of the Meta/WhatsApp `X-Hub-Signature-256` HMAC signature in the `POST /notification/whatsapp/webhook` handler. An unauthenticated attacker could forge WhatsApp status update payloads, manipulate notification delivery records, suppress alerts, and corrupt audit trails. The issue was classified as `CWE-345` and patched in version `10.0.34`. A second flaw, **CVE-2026-33396**, affects versions before `10.0.35` and allows a low-privileged authenticated user with the **ProjectMember** role to achieve remote command execution on the Probe container or host through Synthetic Monitor Playwright script execution. The weakness lies in `VMRunner.runCodeInNodeVM`, where sandboxed code retained access to a live Playwright page object and could reach dangerous methods such as `_browserType.launchServer(...)`, bypassing an incomplete denylist. The vulnerability was mapped to `CWE-78`, `CWE-693`, and `CWE-184`, carries a `CVSS:3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` rating, and was fixed in **OneUptime** version `10.0.35`.
1 months ago