A researcher has claimed a zero-click CVSS 9.8 vulnerability in Telegram’s sticker file processing pipeline, but Telegram has publicly denied the flaw exists, no CVE has been assigned, no independent proof-of-concept has been confirmed, and all five sources in the feed are Tier 3 with scoring inconsistencies between sources; confidence in technical validity is low. The appropriate response is heightened monitoring rather than emergency action: disable media auto-download on managed endpoints where Telegram is in use, log this as an open unverified risk item, and reassess if a CVE is assigned, a CISA advisory is published, or independent technical verification emerges. The broader risk context is that Telegram’s architecture presents documented enterprise risk independent of this claim, including absence of end-to-end encryption on default cloud chats and prior confirmed exploitation of media auto-download features.