PT-2026-36499 · Meta · Whatsapp For Windows
Published
2026-05-01
·
Updated
2026-06-01
·
CVE-2026-23863
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
WhatsApp for Windows versions prior to 2.3000.1032164386.258709
Description
An attachment spoofing issue exists due to improper handling of hidden control characters, specifically embedded NUL bytes, in filenames. This allows maliciously formatted documents to be displayed as one file type within the application but execute as an executable file when opened. The issue stems from a failure to properly sanitize or validate the true file extension when displaying attachments.
Recommendations
Update to version 2.3000.1032164386.258709 or later.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Whatsapp For Windows