CVE-2026-40036

Summary

Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.

Affected Software

VendorProductVersion RangeStatus
obsidianforensicsunfurl0 < 2026.04affected

Weaknesses

  • CWE-770: Allocation of Resources Without Limits or Throttling
  • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References