CVE-2026-40036

Published April 9, 2026 · Updated April 9, 2026

7.5CVSS

high

What This Means

CVE-2026-40036 is a high-severity unbounded zlib decompression vulnerability found in Unfurl before version 2026.04. Attackers can exploit this flaw by submitting specially crafted compressed payloads to the /json/visjs endpoint, leading to denial of service by exhausting server memory. To mitigate this risk, upgrade to Unfurl version 2026.04 or later.

Official Description+

Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-40036.

Related Coverage

Vvulnerability

CVE-2026-40036: Unfurl Vulnerability Enables Denial of Service via Zlib Decompression

CVE-2026-40036 affects Unfurl versions before 2026.04, allowing remote denial of service via unbounded decompression. Update to Unfurl 2026.04 to mitigate.

NVD·4h ago·3 min read