Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-4vpr-rcq6-2ubz
Vulnerability ID VCID-4vpr-rcq6-2ubz
Aliases CVE-2023-36814
GHSA-4hpj-8rhv-9x87
PYSEC-2023-113
Summary Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal module to handle unchecked input in a public method on `PortalFolder` objects can lead to an unauthenticated denial of service and crash situation. The code in question is exposed by all portal software built on top of `Products.CMFCore`, such as Plone. All deployments are vulnerable. The code has been fixed in `Products.CMFCore` version 3.2.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2023-36814
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2023-36814
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/products-cmfcore/PYSEC-2023-113.yaml
cvssv4 8.7 https://github.com/pypa/advisory-database/tree/main/vulns/products-cmfcore/PYSEC-2023-113.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/products-cmfcore/PYSEC-2023-113.yaml
cvssv3.1 7.5 https://github.com/zopefoundation/Products.CMFCore
cvssv4 8.7 https://github.com/zopefoundation/Products.CMFCore
generic_textual HIGH https://github.com/zopefoundation/Products.CMFCore
cvssv3.1 7.5 https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8ef429efef729be54e5
cvssv4 8.7 https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8ef429efef729be54e5
generic_textual HIGH https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8ef429efef729be54e5
ssvc Track https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8ef429efef729be54e5
cvssv3.1 7.5 https://github.com/zopefoundation/Products.CMFCore/commit/c1847a9042abe7965271fa73762dfe091b576de
cvssv4 8.7 https://github.com/zopefoundation/Products.CMFCore/commit/c1847a9042abe7965271fa73762dfe091b576de
generic_textual HIGH https://github.com/zopefoundation/Products.CMFCore/commit/c1847a9042abe7965271fa73762dfe091b576de
cvssv3.1 7.5 https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87
cvssv4 8.7 https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87
generic_textual HIGH https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87
ssvc Track https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-36814
cvssv4 8.7 https://nvd.nist.gov/vuln/detail/CVE-2023-36814
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-36814
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-36814
https://github.com/pypa/advisory-database/tree/main/vulns/products-cmfcore/PYSEC-2023-113.yaml
https://github.com/zopefoundation/Products.CMFCore
https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8ef429efef729be54e5
https://github.com/zopefoundation/Products.CMFCore/commit/c1847a9042abe7965271fa73762dfe091b576de
https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87
CVE-2023-36814 https://nvd.nist.gov/vuln/detail/CVE-2023-36814
GHSA-4hpj-8rhv-9x87 https://github.com/advisories/GHSA-4hpj-8rhv-9x87
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/products-cmfcore/PYSEC-2023-113.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/products-cmfcore/PYSEC-2023-113.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/zopefoundation/Products.CMFCore
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/zopefoundation/Products.CMFCore
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8ef429efef729be54e5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8ef429efef729be54e5
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-22T16:42:37Z/ Found at https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8ef429efef729be54e5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/zopefoundation/Products.CMFCore/commit/c1847a9042abe7965271fa73762dfe091b576de
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/zopefoundation/Products.CMFCore/commit/c1847a9042abe7965271fa73762dfe091b576de
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-22T16:42:37Z/ Found at https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-36814
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-36814
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.52809
EPSS Score 0.00291
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:18:58.905128+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/products-cmfcore/PYSEC-2023-113.yaml 38.6.0