Home

Description

Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.

PUBLISHED Reserved 2026-04-08 | Published 2026-04-08 | Updated 2026-05-14 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

Allocation of Resources Without Limits or Throttling

Improper Handling of Highly Compressed Data (Data Amplification)

Product status

Default status
unaffected

Any version before 2026.04
affected

Credits

Mobasi Security Team reporter

References

github.com/...unfurl/security/advisories/GHSA-h5qv-qjv4-pc5m (GHSA Advisory GHSA-h5qv-qjv4-pc5m) vendor-advisory

github.com/obsidianforensics/unfurl/releases/tag/v2026.04 (VulnCheck Advisory: dfir-unfurl - Denial of Service via Unbounded zlib Decompression) release-notes patch

www.vulncheck.com/...ervice-via-unbounded-zlib-decompression third-party-advisory

cve.org (CVE-2026-40036)

nvd.nist.gov (CVE-2026-40036)

Download JSON