![Wanted: Suspect for Homicide in the 18th District [VIDEO]](https://thephillypi.com/wp-content/uploads/2026/05/Wanted-Suspect-for-Homicide-in-the-18th-District-VIDEO-330x220.jpg "Wanted: Suspect for Homicide in the 18th District [VIDEO]")
A critical Telegram flaw could allow zero-click remote code execution on devices, but Telegram denies it.
Researcher Michael DePlante (@izobashi) of TrendAI Zero Day disclosed a new Telegram vulnerability through Zero Day Initiative (ZDI).
The vulnerability, tracked as ZDI-CAN-30207 (CVSS score of 9.8) allows attackers to execute code on targeted devices without any user interaction. This vulnerability is especially dangerous because an attacker can exploit it simply by sending a malicious animated sticker, with no action required from the victim. The vulnerability lies in how Telegram automatically processes media to generate previews, allowing crafted files to trigger code execution.
The flaw poses a serious security risk, especially as no patch is currently available, raising concerns across the cybersecurity community.
The vulnerability affects Telegram on Android and Linux; if exploited, it allows attackers to take full control of a device.
EXPLORE MORE
National broadcast campaign launches to expand awareness of abortion pill reversal
(LifeSiteNews) — Three major pro-life organizations launched a national public service announcement…
Missing Juvenile Adrian Henriquez from the 26th District
The Philadelphia Police Department is seeking the public’s assistance in locating missing…
CVE-2026-3888: Ubuntu Desktop 24.04+ vulnerable to Root exploit
Ubuntu flaw CVE-2026-3888 lets attackers gain root via a systemd timing exploit,…
U.S. CISA adds Google Chrome flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chrome flaws to…
Missing Juvenile Aiden Gregg from the 35th District Has Been Located
Missing Juvenile Aiden Gregg from the 35th District Has Been Located |…
Open letter to MPs demands changes to Liberal internet bill
OTTAWA - A collective of Canadian lawyers and top academics demanded in…
At this time it is unclear if threat actors have already exploited it in attacks in the wild.
The Zero Day Initiative did not disclose technical details about the vulnerability to give the company time to address it by July 24, 2026.
The Italian National Cybersecurity Agency (ACN) reported that Telegram has denied the disclosed zero-click vulnerability, stating it does not exist. The company says all stickers are validated server-side before delivery, preventing malicious files from being used as an attack vector and making code execution via stickers technically impossible.
“Following direct discussions, Telegram Messenger has formally denied the existence of the previously reported zero-click vulnerability, stating that the flaw does not exist. The vendor claims that every sticker uploaded to the platform undergoes mandatory validation on its servers before being distributed to client applications.” reads an update published on the ACN’s advisory. “According to this official position, the centralized filtering process prevents corrupted stickers from being used as an attack vector, making it technically impossible to execute malicious code through this method.”
As a mitigation measure, Telegram Business users can limit incoming messages from new contacts. In Settings → Privacy and Security → Messages, they can restrict messages to saved contacts or Premium users only.
Exploits targeting popular platforms like Telegram can be worth millions on underground markets, and threat actors can quickly weaponize them.
