CVE-2026-23866

Name of the Vulnerable Software and Affected Versions WhatsApp for iOS versions 2.25.8.0 through 2.26.15.72 WhatsApp for Android versions 2.25.8.0 through 2.26.7.10

Description Incomplete validation of AI rich response messages for Instagram Reels allows a user to trigger the processing of media content from an arbitrary URL on another user's device. This can include triggering OS-controlled custom URL scheme handlers, which are specific protocols used by the operating system to open corresponding applications.

Recommendations Update WhatsApp for iOS to a version later than 2.26.15.72. Update WhatsApp for Android to a version later than 2.26.7.10.