彙總 telegram 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 跨站腳本、緩衝區溢位、SSRF與輸入驗證問題,在 軟體部署與生產負載 使用場景中可能帶來 檔案覆寫、工作階段劫持與異常行為 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2021-47793 | Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized message payload. Attackers can generate a 9 million byte buffer and paste it into the messaging interface to trigger an application crash. | [email protected] | 4.6 | 0.03% | 2026-01-16 | 2026-01-30 |
| CVE-2024-7014 | EvilVideo vulnerability allows sending malicious apps disguised as videos in Telegram for Android application affecting versions 10.14.4 and older. | [email protected] | 7.1 | 17.55% | 2024-07-23 | 2026-02-09 |
| CVE-2023-34658 | Telegram v9.6.3 on iOS allows attackers to hide critical information on the User Interface via calling the function SFSafariViewController. | [email protected] | 5.3 | 0.07% | 2023-06-29 | 2024-11-27 |
| CVE-2023-26818 | Telegram 9.3.1 and 9.4.0 allows attackers to access restricted files, microphone ,or video recording via the DYLD_INSERT_LIBRARIES flag. | [email protected] | 5.5 | 5.18% | 2023-05-19 | 2025-01-21 |
| CVE-2022-43363 | Telegram Web 15.3.1 allows XSS via a certain payload derived from a Target Corporation website. NOTE: some third parties have been unable to discern any relationship between the Pastebin information and a possible XSS finding. | [email protected] | 6.1 | 0.23% | 2022-12-06 | 2024-11-21 |
| CVE-2021-41861 | The Telegram application 7.5.0 through 7.8.0 for Android does not properly implement image self-destruction, a different vulnerability than CVE-2019-16248. After approximately two to four uses of the self-destruct feature, there is a misleading UI indication that an image was deleted (on both the sender and recipient sides). The images are still present in the /Storage/Emulated/0/Telegram/Telegram Image/ directory. | [email protected] | 3.3 | 0.06% | 2021-10-04 | 2024-11-21 |
| CVE-2021-40532 | Telegram Web K Alpha before 0.7.2 mishandles the characters in a document extension. | [email protected] | 9.8 | 0.43% | 2021-09-06 | 2024-11-21 |
| CVE-2021-37596 | Telegram Web K Alpha 0.6.1 allows XSS via a document name. | [email protected] | 6.1 | 0.22% | 2021-07-30 | 2024-11-21 |
| CVE-2021-36769 | A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client. | [email protected] | 5.3 | 0.29% | 2021-07-17 | 2024-11-21 |
| CVE-2021-31323 | Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the LottieParserImpl::parseDashProperty function of their custom fork of the rlottie library. A remote attacker might be able to access heap memory out-of-bounds on a victim device via a malicious animated sticker. | [email protected] | 5.5 | 0.48% | 2021-05-18 | 2024-11-21 |
| CVE-2021-31322 | Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the LOTGradient::populate function of their custom fork of the rlottie library. A remote attacker might be able to access heap memory out-of-bounds on a victim device via a malicious animated sticker. | [email protected] | 5.5 | 0.37% | 2021-05-18 | 2024-11-21 |
| CVE-2021-31321 | Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Stack Based Overflow in the gray_split_cubic function of their custom fork of the rlottie library. A remote attacker might be able to overwrite Telegram's stack memory out-of-bounds on a victim device via a malicious animated sticker. | [email protected] | 7.1 | 0.18% | 2021-05-18 | 2024-11-21 |
| CVE-2021-31320 | Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the VGradientCache::generateGradientColorTable function of their custom fork of the rlottie library. A remote attacker might be able to overwrite heap memory out-of-bounds on a victim device via a malicious animated sticker. | [email protected] | 7.1 | 0.79% | 2021-05-18 | 2024-11-21 |
| CVE-2021-31319 | Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by an Integer Overflow in the LOTGradient::populate function of their custom fork of the rlottie library. A remote attacker might be able to access heap memory out-of-bounds on a victim device via a malicious animated sticker. | [email protected] | 5.5 | 0.21% | 2021-05-18 | 2024-11-21 |
| CVE-2021-31318 | Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Type Confusion in the LOTCompLayerItem::LOTCompLayerItem function of their custom fork of the rlottie library. A remote attacker might be able to access heap memory out-of-bounds on a victim device via a malicious animated sticker. | [email protected] | 5.5 | 0.22% | 2021-05-18 | 2024-11-21 |
| CVE-2021-31317 | Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Type Confusion in the VDasher constructor of their custom fork of the rlottie library. A remote attacker might be able to access Telegram's heap memory out-of-bounds on a victim device via a malicious animated sticker. | [email protected] | 5.5 | 0.17% | 2021-05-18 | 2024-11-21 |
| CVE-2021-31315 | Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Stack Based Overflow in the blit function of their custom fork of the rlottie library. A remote attacker might be able to access Telegram's stack memory out-of-bounds on a victim device via a malicious animated sticker. | [email protected] | 5.5 | 0.13% | 2021-05-18 | 2024-11-21 |
| CVE-2021-30496 | The Telegram app 7.6.2 for iOS allows remote authenticated users to cause a denial of service (application crash) if the victim pastes an attacker-supplied message (e.g., in the Persian language) into a channel or group. The crash occurs in MtProtoKitFramework. NOTE: the vendor's perspective is that "this behavior can't be considered a vulnerability." | [email protected] | 5.7 | 0.64% | 2021-04-20 | 2024-11-21 |
| CVE-2021-27351 | The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session. | [email protected] | 5.3 | 0.18% | 2021-02-19 | 2024-11-21 |
| CVE-2021-27205 | Telegram before 7.4 (212543) Stable on macOS stores the local copy of self-destructed messages in a sandbox path, leading to sensitive information disclosure. | [email protected] | 5.5 | 0.05% | 2021-02-12 | 2024-11-21 |