What is CVE-2019-18426?

CVE-2019-18426 is a vulnerability in Facebook Whatsapp Desktop, classified under Cross-site Scripting. Published 2020-01-21.

Is CVE-2019-18426 known to be exploited?

Yes. CVE-2019-18426 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-05-23), indicating it is being actively exploited. 12 public proof-of-concept repositories are indexed.

XSS in Facebook Whatsapp Desktop

CVE-2019-18426

A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a l…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.610 (98.3th percentile) — read the EPSS interpretation.

Affected products

Facebook Whatsapp Desktop — versions 0.3.9309, unspecified

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2022-05-23. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-06-13.

Required action: Apply updates per vendor instructions.

Public proof-of-concept exploits

References

www.facebook.com/security/advisories/cve-2019-18426 (x_refsource_CONFIRM)
packetstormsecurity.com/files/157097/WhatsApp-Desktop-0.3.9308-Cross-Site-Scrip… (x_refsource_MISC)

Frequently asked questions

What is CVE-2019-18426?: CVE-2019-18426 is a vulnerability in Facebook Whatsapp Desktop, classified under Cross-site Scripting. Published 2020-01-21.
Is CVE-2019-18426 known to be exploited?: Yes. CVE-2019-18426 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-05-23), indicating it is being actively exploited. 12 public proof-of-concept repositories are indexed.