High severity7.5NVD Advisory· Published Apr 8, 2026· Updated Apr 17, 2026
CVE-2026-40036
CVE-2026-40036
Description
Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dfir-unfurlPyPI | < 20260405 | 20260405 |
Affected products
2Patches
Vulnerability mechanics
References
8- github.com/obsidianforensics/unfurl/security/advisories/GHSA-h5qv-qjv4-pc5mnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-h5qv-qjv4-pc5mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40036ghsaADVISORY
- www.vulncheck.com/advisories/dfir-unfurl-denial-of-service-via-unbounded-zlib-decompressionnvdThird Party AdvisoryWEB
- github.com/RyanDFIR/unfurl/commit/7cc711a65b106742a21080b755f81c17b5725aa8ghsaWEB
- github.com/RyanDFIR/unfurl/pull/243ghsaWEB
- github.com/RyanDFIR/unfurl/releases/tag/v2026.04ghsaWEB
- github.com/obsidianforensics/unfurl/releases/tag/v2026.04nvdRelease Notes
News mentions
0No linked articles in our index yet.