Of note folks, if you see the thing about "Telegram 9.8 flaw!!!" going around:
- There is _no_ confirmation of this yet, it's only listed as an "upcoming" vuln without assigned page on ZDI's site.
- Media/stickers/calls/etc are _not_ confirmed mechanisms at all, and may have nothing to do with it.
- We don't even know that it's an RCE, that's just an assumption that some other websites have run with.
- Other "9.8 CVSS" 'vunlerabilities' have been reported in the past for other software that were...not. This AI slop one against curl (https://hackerone.com/reports/3340109) comes to mind.
It just says the vendor is Telegram, and Telegram has numerous services. For all we know this could be related to their blockchain, their payment platforms, or a vulnerability allowing malicious takeover of someone else's bot. There is zero information, as the researcher themself has said nothing on what it is so far.
(If any part of this is no longer true please let me know with verified info and I will edit the post to remove those.)
Kay Ohtie 🔜 FWA
npub1zq…9lsst
2026-03-28 20:00:55 UTC
Author Public Key
npub1zqqr926mzhw9c2l5yum4xtrflusrdmt9zfwje4qtw7awrkrz625q99lsstSeen on
wss://relay.momostr.pinkPublished at
2026-03-28 20:00:55 UTCEvent JSON
{
"id": "70be7bfdb3e42a70d89124ad5a8c31dba8cedeaa1a8139a24665d0f58cc35ddb",
"pubkey": "100032ab5b15dc5c2bf42737532c69ff2036ed65125d2cd40b77bae1d862d2a8",
"created_at": 1774728055,
"kind": 1,
"tags": [
[
"proxy",
"https://blimps.xyz/@KayOhtie/116308577823392737",
"web"
],
[
"proxy",
"https://blimps.xyz/users/KayOhtie/statuses/116308577823392737",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://blimps.xyz/users/KayOhtie/statuses/116308577823392737",
"pink.momostr"
],
[
"-"
]
],
"content": "Of note folks, if you see the thing about \"Telegram 9.8 flaw!!!\" going around:\n\n- There is _no_ confirmation of this yet, it's only listed as an \"upcoming\" vuln without assigned page on ZDI's site.\n- Media/stickers/calls/etc are _not_ confirmed mechanisms at all, and may have nothing to do with it.\n- We don't even know that it's an RCE, that's just an assumption that some other websites have run with.\n- Other \"9.8 CVSS\" 'vunlerabilities' have been reported in the past for other software that were...not. This AI slop one against curl (https://hackerone.com/reports/3340109) comes to mind.\n\nIt just says the vendor is Telegram, and Telegram has numerous services. For all we know this could be related to their blockchain, their payment platforms, or a vulnerability allowing malicious takeover of someone else's bot. There is zero information, as the researcher themself has said nothing on what it is so far.\n\n(If any part of this is no longer true please let me know with verified info and I will edit the post to remove those.)",
"sig": "dc4abf22a209ca0c50ded7ecac7e23c7f781395f2afc014b8bb80e2e00f8b7682c24d5eec9fc90a3e342cb684f91cb6c06c069d91053f27c65e22ab6d77c811b"
}