InfoSecBulletin Cybersecurity for mankind
Meta-owned WhatsApp has released two new security warnings about flaws fixed earlier this year in the well-known messaging app. One issue is CVE-2026-23863, a medium-risk attachment spoofing problem that affects WhatsApp for Windows before version 2.3000.1032164386.258709.
An attacker could use the flaw to make a harmful document with NUL bytes in its name. When sent as an attachment, the receiver would think it’s a safe file, but it would run as a program when opened, WhatsApp’s notice says.
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
The second flaw, CVE-2026-23866, has a ‘medium impact’ rating. It impacts WhatsApp for iOS (v2.25.8.0-v2.26.15.72) and WhatsApp for Android (v2.25.8.0-v2.26.7.10).
According to WhatsApp, incomplete validation of AI rich response messages for Instagram Reels could have allowed an attacker to “trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers.”
WhatsApp has not given more details, but these custom URL problems could let bad actors send users to fake sites and open other apps on the device using URL schemes like facetime:, tel:, itms-apps:, or special app links.
The company states there is no proof of abuse in nature.
