CVE-2009-1180 [Medium] | Security Vulnerability in Xpdf

CVE-2009-1180 is rated Moderate Risk (59.3/100): CVSS Medium severity, with high exploitation likelihood (EPSS 8.83%, 92th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-02-05	9.05%	8.83%	-0.22%
2	2026-02-04	4.67%	9.05%	+4.38%
3	2026-01-06	—	4.67%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-02-05

9.05%

8.83%

-0.22%

2026-02-04

4.67%

9.05%

+4.38%

2026-01-06

—

4.67%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.8	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:P/I:P/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	8.6	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.8

2.0

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

8.6

6.4

[email protected]

OS Trackers for CVE-2009-1180

vendor	priority	summary	link
`debian`	medium	CVE-2009-1180 medium priority: Debian including 2 source packages (poppler, xpdf), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10.	https://security-tracker.debian.org/tracker/CVE-2009-1180
`gentoo`	normal	CVE-2009-1180: 1 GLSA(s) (201310-03), 1 atom(s) (app-text/poppler); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2009-1180
`redhat`	high	—	https://access.redhat.com/security/cve/CVE-2009-1180
`suse`	medium	CVE-2009-1180 severity moderate: SUSE including 90 source package names (libpoppler-cpp0-0.43.0-15.1, libpoppler-cpp0-0.43.0-16.15.1, …), 157 product×package rows across 33 product lines (SUSE Linux Enterprise Desktop 12, SUSE Linux Enterprise Desktop 12 SP1, … (33 product lines)): Fixed 157.	https://www.suse.com/security/cve/CVE-2009-1180/
`ubuntu`	medium	CVE-2009-1180 medium priority: Ubuntu including 14 source packages (cups, cupsys, …), 476 status rows across 34 suites (artful, bionic, cosmic, dapper, disco, eoan, focal, groovy, gutsy, hardy, hirsute, impish, intrepid, jammy, jaunty, karmic, kinetic, lucid, lunar, maverick, natty, oneiric, precise, quantal, raring, saucy, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): DNE 216, not-affected 169, ignored 43 (5 distinct statuses).	https://ubuntu.com/security/CVE-2009-1180

Affected software / configurations for CVE-2009-1180

Vendor	Product	Version	Raw CPE
foolabs	xpdf	0.5a	cpe:2.3:a:foolabs:xpdf:0.5a:::::::*
foolabs	xpdf	0.7a	cpe:2.3:a:foolabs:xpdf:0.7a:::::::*
foolabs	xpdf	0.91a	cpe:2.3:a:foolabs:xpdf:0.91a:::::::*
foolabs	xpdf	0.91b	cpe:2.3:a:foolabs:xpdf:0.91b:::::::*
foolabs	xpdf	0.91c	cpe:2.3:a:foolabs:xpdf:0.91c:::::::*
foolabs	xpdf	0.92a	cpe:2.3:a:foolabs:xpdf:0.92a:::::::*
foolabs	xpdf	0.92b	cpe:2.3:a:foolabs:xpdf:0.92b:::::::*
foolabs	xpdf	0.92c	cpe:2.3:a:foolabs:xpdf:0.92c:::::::*
foolabs	xpdf	0.92d	cpe:2.3:a:foolabs:xpdf:0.92d:::::::*
foolabs	xpdf	0.92e	cpe:2.3:a:foolabs:xpdf:0.92e:::::::*
foolabs	xpdf	0.93a	cpe:2.3:a:foolabs:xpdf:0.93a:::::::*
foolabs	xpdf	0.93b	cpe:2.3:a:foolabs:xpdf:0.93b:::::::*
foolabs	xpdf	0.93c	cpe:2.3:a:foolabs:xpdf:0.93c:::::::*
foolabs	xpdf	1.00a	cpe:2.3:a:foolabs:xpdf:1.00a:::::::*
glyphandcog	xpdfreader	<= 3.02	cpe:2.3:a:glyphandcog:xpdfreader::::::::
glyphandcog	xpdfreader	0.2	cpe:2.3:a:glyphandcog:xpdfreader:0.2:::::::*
glyphandcog	xpdfreader	0.3	cpe:2.3:a:glyphandcog:xpdfreader:0.3:::::::*
glyphandcog	xpdfreader	0.4	cpe:2.3:a:glyphandcog:xpdfreader:0.4:::::::*
glyphandcog	xpdfreader	0.5	cpe:2.3:a:glyphandcog:xpdfreader:0.5:::::::*
glyphandcog	xpdfreader	0.6	cpe:2.3:a:glyphandcog:xpdfreader:0.6:::::::*
glyphandcog	xpdfreader	0.7	cpe:2.3:a:glyphandcog:xpdfreader:0.7:::::::*
glyphandcog	xpdfreader	0.80	cpe:2.3:a:glyphandcog:xpdfreader:0.80:::::::*
glyphandcog	xpdfreader	0.90	cpe:2.3:a:glyphandcog:xpdfreader:0.90:::::::*
glyphandcog	xpdfreader	0.91	cpe:2.3:a:glyphandcog:xpdfreader:0.91:::::::*
glyphandcog	xpdfreader	0.92	cpe:2.3:a:glyphandcog:xpdfreader:0.92:::::::*
glyphandcog	xpdfreader	0.93	cpe:2.3:a:glyphandcog:xpdfreader:0.93:::::::*
glyphandcog	xpdfreader	1.00	cpe:2.3:a:glyphandcog:xpdfreader:1.00:::::::*
glyphandcog	xpdfreader	1.01	cpe:2.3:a:glyphandcog:xpdfreader:1.01:::::::*
glyphandcog	xpdfreader	2.00	cpe:2.3:a:glyphandcog:xpdfreader:2.00:::::::*
glyphandcog	xpdfreader	2.01	cpe:2.3:a:glyphandcog:xpdfreader:2.01:::::::*
glyphandcog	xpdfreader	2.02	cpe:2.3:a:glyphandcog:xpdfreader:2.02:::::::*
glyphandcog	xpdfreader	2.03	cpe:2.3:a:glyphandcog:xpdfreader:2.03:::::::*
glyphandcog	xpdfreader	3.00	cpe:2.3:a:glyphandcog:xpdfreader:3.00:::::::*
glyphandcog	xpdfreader	3.01	cpe:2.3:a:glyphandcog:xpdfreader:3.01:::::::*
poppler	poppler	<= 0.10.5	cpe:2.3:a:poppler:poppler::::::::
poppler	poppler	0.1	cpe:2.3:a:poppler:poppler:0.1:::::::*
poppler	poppler	0.1.1	cpe:2.3:a:poppler:poppler:0.1.1:::::::*
poppler	poppler	0.1.2	cpe:2.3:a:poppler:poppler:0.1.2:::::::*
poppler	poppler	0.2.0	cpe:2.3:a:poppler:poppler:0.2.0:::::::*
poppler	poppler	0.3.0	cpe:2.3:a:poppler:poppler:0.3.0:::::::*
poppler	poppler	0.3.1	cpe:2.3:a:poppler:poppler:0.3.1:::::::*
poppler	poppler	0.3.2	cpe:2.3:a:poppler:poppler:0.3.2:::::::*
poppler	poppler	0.3.3	cpe:2.3:a:poppler:poppler:0.3.3:::::::*
poppler	poppler	0.4.0	cpe:2.3:a:poppler:poppler:0.4.0:::::::*
poppler	poppler	0.4.1	cpe:2.3:a:poppler:poppler:0.4.1:::::::*
poppler	poppler	0.4.2	cpe:2.3:a:poppler:poppler:0.4.2:::::::*
poppler	poppler	0.4.3	cpe:2.3:a:poppler:poppler:0.4.3:::::::*
poppler	poppler	0.4.4	cpe:2.3:a:poppler:poppler:0.4.4:::::::*
poppler	poppler	0.5.0	cpe:2.3:a:poppler:poppler:0.5.0:::::::*
poppler	poppler	0.5.1	cpe:2.3:a:poppler:poppler:0.5.1:::::::*
poppler	poppler	0.5.2	cpe:2.3:a:poppler:poppler:0.5.2:::::::*
poppler	poppler	0.5.3	cpe:2.3:a:poppler:poppler:0.5.3:::::::*
poppler	poppler	0.5.4	cpe:2.3:a:poppler:poppler:0.5.4:::::::*
poppler	poppler	0.5.9	cpe:2.3:a:poppler:poppler:0.5.9:::::::*
poppler	poppler	0.5.90	cpe:2.3:a:poppler:poppler:0.5.90:::::::*
poppler	poppler	0.5.91	cpe:2.3:a:poppler:poppler:0.5.91:::::::*
poppler	poppler	0.6.0	cpe:2.3:a:poppler:poppler:0.6.0:::::::*
poppler	poppler	0.6.1	cpe:2.3:a:poppler:poppler:0.6.1:::::::*
poppler	poppler	0.6.2	cpe:2.3:a:poppler:poppler:0.6.2:::::::*
poppler	poppler	0.6.3	cpe:2.3:a:poppler:poppler:0.6.3:::::::*
poppler	poppler	0.6.4	cpe:2.3:a:poppler:poppler:0.6.4:::::::*
poppler	poppler	0.7.0	cpe:2.3:a:poppler:poppler:0.7.0:::::::*
poppler	poppler	0.7.1	cpe:2.3:a:poppler:poppler:0.7.1:::::::*
poppler	poppler	0.7.2	cpe:2.3:a:poppler:poppler:0.7.2:::::::*
poppler	poppler	0.7.3	cpe:2.3:a:poppler:poppler:0.7.3:::::::*
poppler	poppler	0.8.0	cpe:2.3:a:poppler:poppler:0.8.0:::::::*
poppler	poppler	0.8.1	cpe:2.3:a:poppler:poppler:0.8.1:::::::*
poppler	poppler	0.8.2	cpe:2.3:a:poppler:poppler:0.8.2:::::::*
poppler	poppler	0.8.3	cpe:2.3:a:poppler:poppler:0.8.3:::::::*
poppler	poppler	0.8.4	cpe:2.3:a:poppler:poppler:0.8.4:::::::*
poppler	poppler	0.8.5	cpe:2.3:a:poppler:poppler:0.8.5:::::::*
poppler	poppler	0.8.6	cpe:2.3:a:poppler:poppler:0.8.6:::::::*
poppler	poppler	0.8.7	cpe:2.3:a:poppler:poppler:0.8.7:::::::*
poppler	poppler	0.9.0	cpe:2.3:a:poppler:poppler:0.9.0:::::::*
poppler	poppler	0.9.1	cpe:2.3:a:poppler:poppler:0.9.1:::::::*
poppler	poppler	0.9.2	cpe:2.3:a:poppler:poppler:0.9.2:::::::*
poppler	poppler	0.9.3	cpe:2.3:a:poppler:poppler:0.9.3:::::::*
poppler	poppler	0.10.0	cpe:2.3:a:poppler:poppler:0.10.0:::::::*
poppler	poppler	0.10.1	cpe:2.3:a:poppler:poppler:0.10.1:::::::*
poppler	poppler	0.10.2	cpe:2.3:a:poppler:poppler:0.10.2:::::::*

References for CVE-2009-1180

URL	Tags
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
http://poppler.freedesktop.org/releases.html	Patch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2009-0458.html	Patch
http://secunia.com/advisories/34291	Vendor Advisory
http://secunia.com/advisories/34481	Vendor Advisory
http://secunia.com/advisories/34746	Vendor Advisory
http://secunia.com/advisories/34755	Vendor Advisory
http://secunia.com/advisories/34756	Vendor Advisory
http://secunia.com/advisories/34852	Vendor Advisory
http://secunia.com/advisories/34959	Vendor Advisory
http://secunia.com/advisories/34963	Vendor Advisory
http://secunia.com/advisories/34991	Vendor Advisory
http://secunia.com/advisories/35037	Vendor Advisory
http://secunia.com/advisories/35064	Vendor Advisory
http://secunia.com/advisories/35065	Vendor Advisory
http://secunia.com/advisories/35618	Vendor Advisory
http://secunia.com/advisories/35685	Vendor Advisory
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.578477
http://www.debian.org/security/2009/dsa-1790	Patch
http://www.debian.org/security/2009/dsa-1793	Patch
http://www.kb.cert.org/vuls/id/196617	US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2009:101
http://www.mandriva.com/security/advisories?name=MDVSA-2010:087
http://www.mandriva.com/security/advisories?name=MDVSA-2011:175
http://www.redhat.com/support/errata/RHSA-2009-0429.html	Patch
http://www.redhat.com/support/errata/RHSA-2009-0430.html	Patch
http://www.redhat.com/support/errata/RHSA-2009-0431.html	Patch
http://www.redhat.com/support/errata/RHSA-2009-0480.html	Patch
http://www.securityfocus.com/bid/34568	Patch
http://www.securitytracker.com/id?1022073
http://www.vupen.com/english/advisories/2009/1065	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1066	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1076	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1077	Vendor Advisory
http://www.vupen.com/english/advisories/2010/1040	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=495892
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9926
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00567.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01277.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01291.html

URL

CVE-2009-1180

Exploit prediction scoring system (EPSS) score for CVE-2009-1180

Common vulnerability scoring system (CVSS) metrics for CVE-2009-1180

Weakness enumeration for CVE-2009-1180

OS Trackers for CVE-2009-1180

Affected software / configurations for CVE-2009-1180

References for CVE-2009-1180