Description
An issue in the sqlo_key_part_best component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Published: 2026-06-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue in the sqlo_key_part_best component of Virtuoso OpenSource version 7.2.11 allows attackers to trigger a denial of service by submitting specially crafted to CWE-89, indicating problems with input validation and potential SQL injection. The database engine can become unresponsive or temporarily unavailable, disrupting availability for applications that rely on the database.

Affected Systems

This vulnerability affects Virtuoso OpenSource version 7.2.11. The problem resides in the sqlo_key_part_best component. No other versions or products are currently known to be impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates moderate severity, while the EPSS score of <1% shows a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, meaning no known widespread exploitation. Based on the description, it is inferred that the attacker only needs the ability to submit queries and does not require elevated privileges. Likely attack vectors include any SQL client or front‑end that sends queries to the database; once triggered, the service may crash legitimate users. The effect is confined to the affected database instance unless it is leveraged to compromise other components or applications built on top of the database.

Generated by OpenCVE AI on June 25, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Virtuoso OpenSource to a patched version that fixes the sqlo_key_part_best vulnerability.
  • Restrict database access to trusted networks or authenticated users by configuring firewalls or access control, reducing the likelihood of malicious query submission.
  • Enable auditing of query traffic and set thresholds for excessive query rates; consider temporarily disabling public query interfaces until the patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Thu, 25 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-503

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title DoS Vulnerability in Virtuoso OpenSource sqlo_key_part_best Component via Crafted SQL Statements virtuoso-opensource: virtuoso-opensource: Denial of Service via crafted SQL statements
Weaknesses CWE-89
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openlink
Openlink virtuoso-opensource
Vendors & Products Openlink
Openlink virtuoso-opensource

Wed, 24 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Title DoS Vulnerability in Virtuoso OpenSource sqlo_key_part_best Component via Crafted SQL Statements
Weaknesses CWE-399
CWE-503

Wed, 24 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso OpenSource 7.2.11
Weaknesses CWE-20
CWE-944

Wed, 24 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso OpenSource 7.2.11
Weaknesses CWE-20
CWE-944

Wed, 24 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in Virtuoso sqlo_key_part_best
Weaknesses CWE-400

Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in Virtuoso sqlo_key_part_best
Weaknesses CWE-400

Tue, 23 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in Virtuoso OpenSource sqlo_key_part_best
Weaknesses CWE-400

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in Virtuoso OpenSource sqlo_key_part_best
Weaknesses CWE-400

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An issue in the sqlo_key_part_best component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
References

Subscriptions

Openlink Virtuoso-opensource
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-25T19:54:27.825Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61019

cve-icon Vulnrichment

Updated: 2026-06-25T19:54:23.845Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T00:00:00Z

Links: CVE-2025-61019 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:45:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')