CVE-2019-18426

HIGH KEV RANSOMWARE

WhatsApp Desktop < 0.3.9309 and WhatsApp for iPhone < 2.20.10 - Cross-Site Scripting via Link Preview

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-18426 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 23, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including Gal Weizman, HumanSecurity.

AI-analyzed exploit summary This exploit leverages a persistent XSS vulnerability in WhatsApp Desktop 0.3.9308 by injecting malicious JavaScript into a message. The payload executes arbitrary code, including reading local files (e.g., hosts file), when the victim clicks the crafted message.

Description

A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.

Exploits (3)

exploitdb WORKING POC
by Gal Weizman · textwebappsmultiple
https://www.exploit-db.com/exploits/48295

This exploit leverages a persistent XSS vulnerability in WhatsApp Desktop 0.3.9308 by injecting malicious JavaScript into a message. The payload executes arbitrary code, including reading local files (e.g., hosts file), when the victim clicks the crafted message.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp Desktop 0.3.9308
Auth required
Prerequisites: Access to WhatsApp Web · Ability to send messages to the victim · Victim interaction (clicking the message)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 11 stars
by HumanSecurity · client-side
https://github.com/HumanSecurity/CVE-2019-18426

This repository contains a detailed technical writeup of CVE-2019-18426, a vulnerability in WhatsApp that involves an open redirect, CSP bypass, persistent XSS, and file system read permissions. The author describes the step-by-step process of discovering and exploiting these flaws, including code snippets and explanations of the attack mechanics.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp (iOS/Android/Windows Desktop/Mac Desktop/Web)
No auth needed
Prerequisites: Access to WhatsApp Web or desktop application · Ability to intercept and modify message metadata
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →
inthewild WRITEUP
poc
https://github.com/perimeterx/cve-2019-18426

This repository contains a detailed technical writeup of CVE-2019-18426, which involves multiple vulnerabilities in WhatsApp, including open redirect, CSP bypass, persistent XSS, and file system read permissions. The author provides a step-by-step breakdown of the exploitation process, including code snippets and visual aids.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp (iOS/Android/Windows Desktop/Mac Desktop/Web)
No auth needed
Prerequisites: Access to WhatsApp Web or desktop application · Ability to intercept and modify message metadata
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.2
EPSS 0.6100
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2022-05-23
VulnCheck KEV 2022-04-12
InTheWild.io 2020-02-07
ENISA EUVD EUVD-2019-8195
Ransomware Use Confirmed
CWE
CWE-79
Status published
Products (2)
whatsapp/whatsapp < 0.3.9309
whatsapp/whatsapp < 2.20.10
Published Jan 21, 2020
KEV Added May 23, 2022
Tracked Since Feb 18, 2026