What Happened

Unfurl, a widely-used visualization library, has disclosed a serious vulnerability identified as CVE-2026-40036. This vulnerability was found in Unfurl versions prior to 2026.04 and was reported in early October 2023. The flaw is associated with the library's handling of zlib decompression within the parse_compressed.py module.

Security researchers identified that an attacker could exploit this vulnerability remotely by sending specially crafted requests to the /json/visjs endpoint. This particular endpoint in Unfurl can process URL parameters, and the vulnerability is triggered when it encounters highly compressed payloads that it cannot adequately handle. Consequently, the system attempts to decompress these payloads which can expand to occupy gigabytes of memory, ultimately exhausting the server's resources and leading to a denial of service. This issue is considered significant due to its potential disruption to services that rely on Unfurl for visual representation of data.

Technical Details

The vulnerability, tracked as CVE-2026-40036, exposes a critical flaw in the way Unfurl handles decompression of data with its implementation of zlib in parse_compressed.py. The flaw occurs because the module does not appropriately bound memory allocation when decompressing input, permitting attackers to submit compressed data that inflates uncontrollably during processing.

The CVSS score for CVE-2026-40036 is 7.5, classified as high. An attacker leveraging this vulnerability can submit an HTTP request with carefully crafted URL parameters to the /json/visjs endpoint. The lack of proper checks against the size of the decompressed output causes an overflow in memory allocation. Indicators of compromise (IOCs) include unusual spikes in memory usage and unresponsiveness of the affected server.

Unfurl versions affected by this vulnerability are those released before 2026.04. The vulnerability has been addressed by updating the library to version 2026.04 or later, introducing boundaries on decompression processes to prevent memory exhaustion.

Impact

Organizations using Unfurl prior to version 2026.04 may experience significant operational disruptions if this vulnerability is exploited. The flaw allows malicious entities to orchestrate denial of service attacks, causing affected systems to crash due to memory overload. This could impact the availability of services that depend on Unfurl for parsing and visualizing data, leading to potential downtime until remediation is applied.

Given the high CVSS score, this vulnerability poses a tangible risk to any enterprise utilizing affected Unfurl versions, particularly those with public-facing endpoints that could be targeted remotely.

What To Do

  • Upgrade Unfurl: Ensure that your installation of Unfurl is updated to version 2026.04 or later to incorporate the fix that mitigates this vulnerability.
  • Monitor for IOCs: Regularly check system logs for unusual memory consumption patterns or service crashes that could indicate attempted exploitation.
  • Network Defense: Implement rate limiting and input validation on endpoints like /json/visjs to reduce the risk of attack exploitation.
  • Incident Response: Prepare incident response plans to swiftly address potential denial of service conditions resulting from this vulnerability.

The swift application of updates and vigilant monitoring are crucial steps in mitigating the impact of CVE-2026-40036. Organizations must evaluate their exposure to this vulnerability and promptly apply the necessary upgrades to ensure continued operational resilience.