CVE-2026-40036
Unbounded Zlib Decompression in Unfurl Causes DoS via /json/visjs
Publication date: 2026-04-08
Last updated on: 2026-04-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ryandfir | unfurl | to 2026.04 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Unfurl versions before 2026.04 and involves an unbounded zlib decompression issue in the parse_compressed.py file.
Remote attackers can exploit this by submitting highly compressed payloads through URL parameters to the /json/visjs endpoint.
These payloads decompress into very large amounts of data (gigabytes), which can exhaust the server's memory and cause the service to crash, resulting in a denial of service.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service condition.
Attackers can cause the affected server to consume excessive memory resources by sending specially crafted compressed payloads, leading to server crashes and service unavailability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.