Unfurl < 2026.04 - Denial of Service via Unbounded zlib Decompression | Advisories

Advisories

Unfurl < 2026.04 - Denial of Service via Unbounded zlib Decompression

severity: high
date: 4/8/2026
Affecting: dfir-unfurl < 2026.04
CVE: CVE-2026-40036
CWE: CWE-770 Allocation of Resources Without Limits or Throttling
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References: GitHub Security Advisory (GHSA-h5qv-qjv4-pc5m)
Release Notes
Credit: Mobasi Security Team
Description: Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo