Update WhatsApp now: Two new flaws could expose you to malicious files

### Executive Summary Meta/WhatsApp published patches for two vulnerabilities: CVE‑2026‑23866, which can cause WhatsApp to load media from attacker-controlled URLs (potentially triggering OS URL handlers), and CVE‑2026‑23863, where embedded NUL bytes in filenames on Windows can make executables appear as benign files. Users are instructed to update WhatsApp on Android, iOS, and Windows; the advisory states there is no evidence these bugs have been exploited in the wild.