Description
An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Published: 2026-06-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The st_compare component within OpenLink Virtuoso OpenSource version 7.2.11 contains a flaw that allows an attacker to craft specific SQL statements. When these statements target st_compare, the database engine may consume excessive resources or crash, interrupting service. This weakness is classified as a resource exhaustion vulnerability and is associated with the CWE‑89 identifier.

Affected Systems

OpenLink Virtuoso OpenSource version 7.2.11 is the only explicitly listed affected release. No other versions or package variants appear to be impacted based on the current advisory. Administrators should confirm deployment of this exact version and determine whether a patch or upgrade is required.

Risk and Exploitability

The vulnerability is not listed in the CISA KEV catalog. The CVSS score of 7.5 indicates a high severity, while the EPSS score of <1% suggests a low exploitation probability at this time. Successful exploitation would cause a Denial of Service by exhausting system resources or crashing the database. The risk is higher in environments where the database is exposed to unauthenticated or poorly authenticated users, or where untrusted input can reach the st_compare component. Monitoring for abnormal query patterns or resource usage spikes is advisable to detect attempted exploitation.

Generated by OpenCVE AI on June 25, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenLink Virtuoso to any release that includes the st_compare fix, preferably the latest maintenance or security update for the OpenSource edition.
  • If upgrading is not immediately feasible, restrict or disable the st_compare command in the database configuration or modify application code so that untrusted input never reaches this component.
  • Ensure role‑based access controls limit who can submit raw SQL queries, thereby reducing the potential attack surface.
  • Monitor database activity for abnormal query patterns or resource consumption spikes that could indicate attempted exploitation.

Generated by OpenCVE AI on June 25, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title virtuoso-opensource: Virtuoso-opensource: Denial of Service in st_compare component via crafted SQL statements
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openlink
Openlink virtuoso-opensource
Vendors & Products Openlink
Openlink virtuoso-opensource

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
CWE-89

Wed, 24 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in OpenLink Virtuoso OpenSource st_compare Component
Weaknesses CWE-770
CWE-89

Wed, 24 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in OpenLink Virtuoso OpenSource st_compare Component
Weaknesses CWE-770
CWE-89

Wed, 24 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso st_compare
Weaknesses CWE-770
CWE-89

Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso st_compare
Weaknesses CWE-770
CWE-89

Tue, 23 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso st_compare Component
Weaknesses CWE-770
CWE-89

Tue, 23 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso st_compare Component
Weaknesses CWE-770
CWE-89

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
References

Subscriptions

Openlink Virtuoso-opensource
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-30T03:16:29.964Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61023

cve-icon Vulnrichment

Updated: 2026-06-30T02:42:20.850Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-23T00:00:00Z

Links: CVE-2025-61023 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T04:00:07Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')