A new WhatsApp security advisory, published May 1, has confirmed two vulnerabilities that were discovered after being reported through Meta’s bug bounty program for the popular encrypted messaging app. Neither is known to have been exploited in the wild, and both have now been fixed by WhatsApp. Here’s what you need to know about CVE-2026-23863 and CVE-2026-23866.

WhatsApp Security Advisory—CVE-2026-23863 And CVE-2026-23866 Explained

As text message users absorb news of an SMS pumping attack that can rack up your phone bill in a matter of minutes, there’s never been a better time to switch to secure messaging apps such as Signal or WhatsApp. While not without security scares of its own, such as the recently reported phishing campaigns employing the encrypted messenger as part of the exploit chain, and a spyware threat targeting iOS users , the truth is that Meta does an excellent job of keeping the app and its users safe and secure.

If proof were needed, then look no further than the May 1 WhatsApp security advisory that has confirmed two vulnerabilities, both rated medium severity by the Common Vulnerability Scoring System . “Both were promptly fixed, and we have not seen evidence of exploitation in the wild,” a WhatsApp spokesperson told me. Both CVE-2026-23863 And CVE-2026-23866 were reported through WhatsApp’s official bug bounty program, which has been in operation for 15 years. “We continuously invest in hardening our systems and are grateful for the security research community's help in keeping WhatsApp safe,” the spokesperson said.

CVE-2026-23863 was patched earlier this year, WhatsApp told me, and was an “attachment spoofing issue in WhatsApp for Windows (prior to v2.3000.1032164386.258709)” that could have “allowed a maliciously formatted document with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened.”

CVE-2026-23866 was patched in April, and the vulnerability was an “incomplete validation of AI-rich response messages for Instagram Reels in WhatsApp for iOS (v2.25.8.0 - v2.26.7.22) and WhatsApp for Android (v2.25.8.0 - v2.26.7.10)” that could have “allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers.”

The good news is not only that the vulnerabilities were found before they could be exploited, but they have both been patched. “As always, we encourage everyone to keep their apps and devices up to date,” the WhatsApp spokesperson said.