CVE-2026-40036

CVE-2026-40036

Name

CVE-2026-40036

Description

Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
disclosure@vulncheck.com	https://github.com/obsidianforensics/unfurl/releases/tag/v2026.04
disclosure@vulncheck.com	https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-h5qv-qjv4-pc5m
disclosure@vulncheck.com	https://www.vulncheck.com/advisories/dfir-unfurl-denial-of-service-via-unbounded-zlib-decompression

Type

URI

disclosure@vulncheck.com

https://github.com/obsidianforensics/unfurl/releases/tag/v2026.04

disclosure@vulncheck.com

https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-h5qv-qjv4-pc5m

disclosure@vulncheck.com

https://www.vulncheck.com/advisories/dfir-unfurl-denial-of-service-via-unbounded-zlib-decompression

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:ryandfir:unfurl::::::::`	unfurl	>= None	< 2026.04

CPE URI

Source package

Min version

Max version

cpe:2.3:a:ryandfir:unfurl:*:*:*:*:*:*:*:*

unfurl

>= None

< 2026.04

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
unfurl	edge-community	0.4.3-r33	DWwanghao <wanghao03@loongson.cn>	possibly vulnerable
unfurl	edge-community	0.4.3-r32	DWwanghao <wanghao03@loongson.cn>	possibly vulnerable
unfurl	edge-community	0.4.3-r31	DWwanghao <wanghao03@loongson.cn>	possibly vulnerable
unfurl	edge-community	0.4.3-r30	DWwanghao <wanghao03@loongson.cn>	possibly vulnerable
unfurl	edge-community	0.4.3-r29	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	edge-community	0.4.3-r28	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	edge-community	0.4.3-r27	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	edge-community	0.4.3-r26	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	edge-community	0.4.3-r25	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	edge-community	0.4.3-r24	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	edge-community	0.4.3-r23	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	edge-community	0.4.3-r22	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	edge-community	0.4.3-r21	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	edge-community	0.4.3-r20	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	edge-community	0.4.3-r19	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	edge-community	0.4.3-r18	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	3.23-community	0.4.3-r32	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	3.23-community	0.4.3-r31	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	3.23-community	0.4.3-r30	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	3.23-community	0.4.3-r29	Celeste <cielesti@protonmail.com>	possibly vulnerable
unfurl	3.23-community	0.4.3-r28	Celeste <cielesti@protonmail.com>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages