Attachment Spoofing Vulnerability in WhatsApp for Windows
CVE-2026-23863

6.5MEDIUM

Key Information:

Vendor: Facebook
Status: WhatSAPp Desktop For Windows
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-23863?

An attachment spoofing vulnerability in WhatsApp for Windows allows attackers to present maliciously crafted documents with embedded NUL bytes in their filenames. These files could appear as benign formats within the application but actually execute harmful code when opened. This misleading behavior poses significant risks as users may unknowingly run executable files disguised as harmless documents, jeopardizing their system's security.

Affected Version(s)

WhatsApp Desktop for Windows 2.3000.*.252500 < 2.3000.1032164386.258709

References

https://www.facebook.com/security/advisories/cve-2026-23863

x_refsource_CONFIRM

https://www.whatsapp.com/security/advisories/2026

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Jan 16, 2026

CVE-2026-23863 Data

JSON

Facebook

What is CVE-2026-23863?

Affected Version(s)

References

CVSS V3.1

Timeline