Vulnerability Details CVE-2026-40036
Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 39.1%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-40036
-
cpe:2.3:a:ryandfir:unfurl:2020.08.12
-
cpe:2.3:a:ryandfir:unfurl:2020.11.02
-
cpe:2.3:a:ryandfir:unfurl:2021.03.11
-
cpe:2.3:a:ryandfir:unfurl:2021.06.15
-
cpe:2.3:a:ryandfir:unfurl:2022.02
-
cpe:2.3:a:ryandfir:unfurl:2022.11
-
cpe:2.3:a:ryandfir:unfurl:2022.11.01
-
cpe:2.3:a:ryandfir:unfurl:2023.09
-
cpe:2.3:a:ryandfir:unfurl:2023.09.01
-
cpe:2.3:a:ryandfir:unfurl:2023.09.02
-
cpe:2.3:a:ryandfir:unfurl:2023.09.03
-
cpe:2.3:a:ryandfir:unfurl:2023.09.04
-
cpe:2.3:a:ryandfir:unfurl:2023.09.05
-
cpe:2.3:a:ryandfir:unfurl:2024.06
-
cpe:2.3:a:ryandfir:unfurl:2024.06.26
-
cpe:2.3:a:ryandfir:unfurl:2024.06.27
-
cpe:2.3:a:ryandfir:unfurl:2024.11
-
cpe:2.3:a:ryandfir:unfurl:2024.11.20
-
cpe:2.3:a:ryandfir:unfurl:2025.02
-
cpe:2.3:a:ryandfir:unfurl:2025.03
-
cpe:2.3:a:ryandfir:unfurl:2025.08