VYPR

Unfurl

by Ryandfir

Source repositories

CVEs (2)

  • CVE-2026-40035CriApr 8, 2026
    risk 0.59cvss 9.1epss 0.01

    Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing…

  • CVE-2026-40036HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.01

    Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes,…