Meta published a security advisory on May 1 disclosing two vulnerabilities in WhatsApp that were caught through its bug bounty program. The good news? Neither was exploited in the wild, and both are already patched. Press enter or click to view image in full size Image Source: Meta AI The Two Flaws The first, CVE-2026-23863, was a Windows specific issue. A maliciously crafted document with hidden "NUL bytes" buried in the filename could trick WhatsApp into displaying it as one file type ‘say’, a harmless PDF while actually running as an executable when opened. Meta fixed this one earlier this year in WhatsApp for Windows version 2.3000.1032164386.258709. The second, CVE-2026-23866, affected both iOS and Android. It involved incomplete validation of AI rich response messages for Instagram Reels shared within WhatsApp. An attacker could potentially trigger another user’s device to process media content from an arbitrary URL, including launching OS level custom URL scheme handlers.…