Unbounded Zlib Decompression Vulnerability in Unfurl by Obsidian Forensics
CVE-2026-40036

8.7HIGH

Key Information:

Vendor

Obsidianforensics

Status
Unfurl
Vendor
CVE Published:
8 April 2026

What is CVE-2026-40036?

The Unfurl tool developed by Obsidian Forensics is vulnerable due to an unbounded zlib decompression flaw found in parse_compressed.py. This vulnerability allows remote attackers to submit specially crafted, highly compressed payloads through URL parameters to the /json/visjs endpoint. The payloads can expand to gigabytes when processed, potentially exhausting server memory resources and leading to service crashes. It's essential for users of affected versions to apply necessary patches to mitigate these risks and maintain service reliability.

Affected Version(s)

unfurl 0 < 2026.04

References

https://github.com/obsidianforensics/unfurl/security/advi...
vendor-advisory
https://github.com/obsidianforensics/unfurl/releases/tag/...
release-notespatch
https://www.vulncheck.com/advisories/dfir-unfurl-denial-o...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mobasi Security Team
.