CVE-2026-40036
Received Received - Intake
Unbounded Zlib Decompression in Unfurl Causes DoS via /json/visjs

Publication date: 2026-04-08

Last updated on: 2026-04-17

Assigner: VulnCheck

Description
Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40036
EUVD
EUVD-2026-20779
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ryandfir unfurl to 2026.04 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Unfurl versions before 2026.04 and involves an unbounded zlib decompression issue in the parse_compressed.py file.

Remote attackers can exploit this by submitting highly compressed payloads through URL parameters to the /json/visjs endpoint.

These payloads decompress into very large amounts of data (gigabytes), which can exhaust the server's memory and cause the service to crash, resulting in a denial of service.

Impact Analysis

The primary impact of this vulnerability is a denial of service condition.

Attackers can cause the affected server to consume excessive memory resources by sending specially crafted compressed payloads, leading to server crashes and service unavailability.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40036. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart