WhatsApp for iOS and Android Incomplete Validation Vulnerability Allowing Arbitrary URL Media Processing

Vulnerability

A vulnerability exists in WhatsApp for iOS versions 2.25.8.0 prior to 2.26.15.72 and in WhatsApp for Android versions 2.25.8.0 prior to 2.26.7.10. This vulnerability stems from incomplete validation of AI-rich response messages related to Instagram Reels. It could have allowed a user to initiate the processing of media content from an arbitrary URL on another user's device. Additionally, it could have triggered operating system-controlled custom URL scheme handlers.

Impact

Exploitation of this vulnerability could have led to unauthorized processing of media content from external URLs on a user's device, potentially allowing for the misuse of custom URL scheme handlers that could be controlled by the operating system.

Added: May 1, 2026, 5:16 PM

Updated: May 1, 2026, 5:16 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

0.6

exploitability

4.7

remediation

0.0

relevance

6.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

0.6

exploitability

4.7

remediation

0.0

relevance

6.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WhatsApp for iOS and Android Incomplete Validation Vulnerability Allowing Arbitrary URL Media Processing

Vulnerability

Impact

Affected Products

WhatsApp

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating