{"id":"CVE-2026-40036","summary":"Unfurl \u003c 2026.04 - Denial of Service via Unbounded zlib Decompression","details":"Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.","aliases":["GHSA-h5qv-qjv4-pc5m","PYSEC-2026-1294"],"modified":"2026-07-08T08:13:14.357919065Z","published":"2026-04-08T21:35:28.460Z","database_specific":{"cwe_ids":["CWE-409","CWE-770"],"cna_assigner":"VulnCheck","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40036.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40036.json"},{"type":"ADVISORY","url":"https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-h5qv-qjv4-pc5m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40036"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/dfir-unfurl-denial-of-service-via-unbounded-zlib-decompression"},{"type":"FIX","url":"https://github.com/obsidianforensics/unfurl/releases/tag/v2026.04"},{"type":"PACKAGE","url":"https://github.com/obsidianforensics/unfurl"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/RyanDFIR/unfurl","events":[{"introduced":"0"},{"fixed":"ae801d5fba62777d601e39b25e06ac102fafa4ec"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:ryandfir:unfurl:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2026.04"}]}}],"versions":["v2025.08","v2025.03","v2025.02","v2024.11","v2024.11.20","v2024.06.27","v2024.06.26","v2024.06","v2023.09.05","v2023.09.04","v2023.09.03","v2023.09.02","v2023.09.01","v2023.09","v2022.11.01","v2022.11","v2022.02","v2021.06.15","v2021.03.11","20201102","20200812"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40036.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}