Cyber Resilience

CVE-2019-18426

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 January 2020

Published
21 January 2020
Modified
24 October 2025
KEV Added
23 May 2022
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.6100 98.3th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-18426 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Whatsapp Whatsapp. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a cross-site scripting flaw, also enabling local file reading, that affects WhatsApp Desktop versions prior to 0.3.9309 when used with WhatsApp for iPhone versions prior to 2.20.10. It is tracked as CWE-79 and carries a CVSS 3.1 score of 8.2 with network attack vector, low complexity, no required privileges, and required user interaction that changes scope.

An attacker can exploit the issue by sending a specially crafted text message containing a malicious link preview; if the recipient clicks the preview, the attacker can execute arbitrary script in the context of the desktop application and read local files. The attack requires no authentication and targets the paired desktop client.

Facebook's security advisory and the associated CISA entry in the known exploited vulnerabilities catalog both direct users to apply the fixed versions of the desktop and iPhone applications as the primary mitigation. The issue has been publicly referenced in exploit archives and is confirmed to have been leveraged in real-world attacks.

EU & UK References

Vulnerability details

A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially…

more

crafted text message.

CWE(s)
KEV Date Added
23 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

whatsapp
whatsapp
≤ 0.3.9309 · ≤ 2.20.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches that close the XSS/local-file flaw in the affected WhatsApp Desktop and iOS clients.

prevent

Mandates input validation and sanitization on untrusted message content (link previews) to block the reflected XSS vector.

prevent

Limits the desktop application's privileges so that even successful script execution cannot read arbitrary local files.

References