A new Telegram vulnerability disclosed by TrendAI Zero Day researcher Michael DePlante through Zero Day Initiative is tracked as ZDI-CAN-30207, with a CVSS score of 9.8, and it reportedly enables zero-click remote code execution on Android and Linux devices by simply processing a malicious animated sticker. The Zero Day Initiative said no technical details would be released yet to give Telegram time to respond, with a disclosure deadline of 24 July 2026.
However, the Italian National Cybersecurity Agency (ACN) reports that Telegram denies the vulnerability’s existence, stating that all stickers are validated server-side before delivery and that code execution via stickers is technically impossible. Telegram has publicly reiterated this position, noting that every uploaded sticker undergoes mandatory server-side validation.
As a mitigation, Telegram Business users are advised to limit incoming messages from new contacts, though the article notes it remains unclear whether any attacks have occurred in the wild. Exploits of popular platforms can command underground value, and claims about threat actors weaponising such flaws are described as claims. According to ACN’s advisory references, Telegram denies the flaw.