Description
An issue in the sqlo_tb_col_preds component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Published: 2026-06-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue in the sqlo_tb_col_preds component of OpenLink Virtuoso OpenSource version 7.2.11 allows attackers to cause a denial of service by sending specially crafted SQL statements. The vulnerability is classified under CWE‑89 and does not expose confidentiality or integrity, but it can render the database service unusable.

Affected Systems

The flaw affects the OpenLink Virtuoso OpenSource database engine, specifically version 7.2.11. No other vendors or product versions are mentioned in the available data.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalogue, indicating that it has not yet become a widely exploited threat. With a CVSS score of 7.5, the vulnerability is considered high severity. The attack vector is inferred to be remote, as the malicious SQL must be transmitted to the database server via a network connection. If successfully executed, the attacker can disrupt service availability, but there is no evidence of privilege escalation or data exfiltration.

Generated by OpenCVE AI on June 24, 2026 at 10:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of OpenLink Virtuoso OpenSource that fixes the sqlo_tb_col_preds component.
  • If an upgrade is not immediately possible, limit network exposure by restricting database access to trusted hosts and applying firewall rules to block known malicious patterns.
  • Monitor database logs for anomalous or unusually large SQL queries and configure alerts to detect potential denial-of-service attempts.

Generated by OpenCVE AI on June 24, 2026 at 10:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openlink
Openlink virtuoso-opensource
Vendors & Products Openlink
Openlink virtuoso-opensource

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via crafted SQL in Virtuoso sqlo_tb_col_preds virtuoso-opensource: openlink virtuoso-opensource: Denial of Service via crafted SQL statements
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 24 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via crafted SQL in Virtuoso sqlo_tb_col_preds

Wed, 24 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso OpenSource 7.2.11

Wed, 24 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso OpenSource 7.2.11

Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in OpenLink Virtuoso OpenSource

Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in OpenLink Virtuoso OpenSource

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An issue in the sqlo_tb_col_preds component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
References

Subscriptions

Openlink Virtuoso-opensource
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-23T16:57:22.941Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61022

cve-icon Vulnrichment

Updated: 2026-06-23T16:57:11.473Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T00:00:00Z

Links: CVE-2025-61022 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:07:08Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')