← back
CVE-2019-18426

CVE-2019-18426

CVSS 8.2 HIGHEPSS 67.9%● KEVCWE-79
In short

WhatsApp Desktop had a security flaw that could allow attackers to run malicious code or read files on your computer if you clicked on a specially crafted link preview in a message. This is dangerous because attackers could steal your information or take control of your system.

Technical detail

CWE-79 cross-site scripting vulnerability in WhatsApp Desktop <0.3.9309 paired with iPhone <2.20.10 allows arbitrary script execution and local file access via malicious link previews. Attack requires user interaction (clicking preview); impact includes code execution in desktop client context and unauthorized file read access.

Summary generated and translated by AI from the official description.
A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Affected products
Facebook · WhatsApp Desktop
public PoCs found3
githubgithub.com/HumanSecurity/CVE-2019-1842611cve_referencepacketstormsecurity.com/files/157097/WhatsApp-Desktop-0.3.9308-Cross-Site-Scripting.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48295unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/157097/WhatsApp-Desktop-0.3.9308-Cross-Site-Scripting.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-18426https://www.facebook.com/security/advisories/cve-2019-18426