{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40036", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-08T13:39:22.099Z", "datePublished": "2026-04-08T21:35:28.460Z", "dateUpdated": "2026-05-14T16:05:32.651Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:06:56.600Z"}, "title": "Unfurl < 2026.04 - Denial of Service via Unbounded zlib Decompression", "descriptions": [{"lang": "en", "value": "Unfurl before\u00a02026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service."}], "datePublic": "2026-01-28T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-770", "description": "Allocation of Resources Without Limits or Throttling", "type": "CWE"}, {"lang": "en", "cweId": "CWE-409", "description": "Improper Handling of Highly Compressed Data (Data Amplification)", "type": "CWE"}]}], "affected": [{"vendor": "obsidianforensics", "product": "unfurl", "packageName": "dfir-unfurl", "repo": "https://github.com/obsidianforensics/unfurl", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.04", "versionType": "custom"}], "defaultStatus": "unaffected"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "references": [{"url": "https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-h5qv-qjv4-pc5m", "name": "GHSA Advisory GHSA-h5qv-qjv4-pc5m", "tags": ["vendor-advisory"]}, {"url": "https://github.com/obsidianforensics/unfurl/releases/tag/v2026.04", "name": "VulnCheck Advisory: dfir-unfurl - Denial of Service via Unbounded zlib Decompression", "tags": ["release-notes", "patch"]}, {"url": "https://www.vulncheck.com/advisories/dfir-unfurl-denial-of-service-via-unbounded-zlib-decompression", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "Mobasi Security Team", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-11T03:05:38.819397Z", "id": "CVE-2026-40036", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T16:05:32.651Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40036", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-11T03:05:38.819397Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-11T03:05:46.079Z"}}], "cna": {"title": "Unfurl < 2026.04 - Denial of Service via Unbounded zlib Decompression", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Mobasi Security Team"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/obsidianforensics/unfurl", "vendor": "obsidianforensics", "product": "unfurl", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.04", "versionType": "custom"}], "packageName": "dfir-unfurl", "defaultStatus": "unaffected"}], "datePublic": "2026-01-28T00:00:00.000Z", "references": [{"url": "https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-h5qv-qjv4-pc5m", "name": "GHSA Advisory GHSA-h5qv-qjv4-pc5m", "tags": ["vendor-advisory"]}, {"url": "https://github.com/obsidianforensics/unfurl/releases/tag/v2026.04", "name": "VulnCheck Advisory: dfir-unfurl - Denial of Service via Unbounded zlib Decompression", "tags": ["release-notes", "patch"]}, {"url": "https://www.vulncheck.com/advisories/dfir-unfurl-denial-of-service-via-unbounded-zlib-decompression", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Unfurl before\u00a02026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "Allocation of Resources Without Limits or Throttling"}, {"lang": "en", "type": "CWE", "cweId": "CWE-409", "description": "Improper Handling of Highly Compressed Data (Data Amplification)"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:06:56.600Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40036", "state": "PUBLISHED", "dateUpdated": "2026-05-14T16:05:32.651Z", "dateReserved": "2026-04-08T13:39:22.099Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-08T21:35:28.460Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ryandfir:unfurl:*:*:*:*:*:*:*:*", "matchCriteriaId": "49E6A5D0-361A-4D18-A6D6-1416EC2EBC9C", "versionEndExcluding": "2026.04", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unfurl before\u00a02026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service."}], "id": "CVE-2026-40036", "lastModified": "2026-04-17T15:56:41.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-08T22:16:24.190", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://github.com/obsidianforensics/unfurl/releases/tag/v2026.04"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-h5qv-qjv4-pc5m"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/dfir-unfurl-denial-of-service-via-unbounded-zlib-decompression"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-409"}, {"lang": "en", "value": "CWE-770"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,20250810]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "dfir-unfurl", "source": "cna", "vendor": "dfir-unfurl"}, "product": "dfir-unfurl", "vendor": "dfir-unfurl"}], "analysis": {"en": {"generated_at": "2026-04-08T23:25:57.137333+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading to Unfurl v2026.04 or later", "If an upgrade is not immediately possible, block or remove access to the /json/visjs endpoint to prevent unbounded decompression attempts", "Configure the service to impose strict limits on request payload sizes and memory usage", "Implement monitoring for sudden memory spikes or crashes to detect abuse early", "Verify that any URLs processed by parse_compressed.py come from trusted sources"], "summary": {"action": "Apply Patch", "impact": "Remote Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is Unfurl developed by obsidianforensics. All releases older than version 2026.04 are impacted; upgrading to v2026.04 or later releases the vulnerability.", "description_and_impact": "Unfurl versions before 2026.04 contain an unbounded zlib decompression flaw in the parse_compressed.py module. When a client submits an excessively compressed payload through the /json/visjs URL parameter, the server decompresses it without bounds, causing the application to consume gigabytes of memory and eventually crash. The result is a complete service outage for users of the Unfurl web interface. The issue maps to the CWE-409 (Uncontrolled Resource Consumption) and CWE-770 (Uncontrolled Memory Allocation) weaknesses.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is not provided, but the lack of authentication requirements and the straightforward request structure make exploitation technically feasible. Because it is not listed in the CISA KEV catalog, there is no current evidence of widespread exploitation. The likely attack vector is remote HTTP requests to the /json/visjs endpoint, as inferred from the description."}}}}, "created": "2026-04-09T08:16:22.640002+00:00", "updated": "2026-04-09T08:25:48.524291+00:00", "vendors": ["dfir-unfurl", "dfir-unfurl$PRODUCT$dfir-unfurl"]}