Description
An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Published: 2026-06-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the sqlo_strip_in_join component of OpenLink Virtuoso Open Source version 7.2.11. When an attacker submits specially crafted SQL statements, the component fails to properly validate or sanitize the input, causing the database engine to enter an abnormal state or consume excessive resources. This results in a loss of availability for the database service and any applications that depend on it.

Affected Systems

OpenLink Virtuoso Open Source version 7.2.11 is the only version explicitly documented as affected. No other products, vendors, or versions have been identified in the current data.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, though the EPSS score is not available, so the exact likelihood of exploitation is unknown. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation has been recorded. The attack vector is inferred to be remote: an attacker would need network access to the database’s interface to send malformed SQL queries.

Generated by OpenCVE AI on June 24, 2026 at 09:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of OpenLink Virtuoso Open Source that includes the fix for the sqlo_strip_in_join component.
  • If an upgrade cannot be performed immediately, enforce stricter query timeouts, restrict the complexity or length of incoming SQL commands, and limit which clients are allowed to execute queries against the database.
  • Network perimeter controls such as firewall rules, VPN, or subnet segmentation should be applied to restrict external access to the database server and reduce the attack surface.

Generated by OpenCVE AI on June 24, 2026 at 09:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in OpenLink Virtuoso's sqlo_strip_in_join virtuoso-opensource: openlink virtuoso-opensource: Denial of Service via crafted SQL statements
References
Metrics threat_severity

None

threat_severity

Important


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openlink
Openlink virtuoso-opensource
Vendors & Products Openlink
Openlink virtuoso-opensource

Wed, 24 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in OpenLink Virtuoso's sqlo_strip_in_join

Wed, 24 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso sqlo_strip_in_join

Wed, 24 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso sqlo_strip_in_join

Tue, 23 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in Virtuoso sqlo_strip_in_join Component
Weaknesses CWE-207
CWE-770

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in Virtuoso sqlo_strip_in_join Component
Weaknesses CWE-207
CWE-770

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
References

Subscriptions

Openlink Virtuoso-opensource
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-30T03:20:51.525Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61020

cve-icon Vulnrichment

Updated: 2026-06-30T02:46:22.860Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-23T00:00:00Z

Links: CVE-2025-61020 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:06:41Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')