Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-qtav-hqnd-b7fa
Vulnerability ID VCID-qtav-hqnd-b7fa
Aliases CVE-2009-3560
Summary A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM.
Status Published
Exploitability 0.5
Weighted Severity 2.1
Risk 1.1
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.0283 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.0283 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.0283 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.0283 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.0283 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.0283 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03008 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03008 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03008 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03008 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03008 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03008 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03311 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
epss 0.03311 https://api.first.org/data/v1/epss?cve=CVE-2009-3560
apache_httpd low https://httpd.apache.org/security/json/CVE-2009-3560.json
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3560.json
https://api.first.org/data/v1/epss?cve=CVE-2009-3560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
533174 https://bugzilla.redhat.com/show_bug.cgi?id=533174
560901 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560901
560919 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560919
560920 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560920
560921 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560921
560922 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560922
560926 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560926
560927 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560927
560928 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560928
560929 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560929
560930 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560930
560935 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560935
560936 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560936
560937 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560937
560940 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560940
560942 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560942
601053 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601053
CVE-2009-3560 https://httpd.apache.org/security/json/CVE-2009-3560.json
GLSA-201209-06 https://security.gentoo.org/glsa/201209-06
RHSA-2009:1625 https://access.redhat.com/errata/RHSA-2009:1625
RHSA-2017:3239 https://access.redhat.com/errata/RHSA-2017:3239
USN-890-1 https://usn.ubuntu.com/890-1/
USN-890-2 https://usn.ubuntu.com/890-2/
USN-890-3 https://usn.ubuntu.com/890-3/
USN-890-4 https://usn.ubuntu.com/890-4/
USN-890-5 https://usn.ubuntu.com/890-5/
USN-890-6 https://usn.ubuntu.com/890-6/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.86111
EPSS Score 0.0283
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:36:16.246976+00:00 Apache HTTPD Importer Import https://httpd.apache.org/security/json/CVE-2009-3560.json 38.0.0