Description
An issue in the sqlo_try_in_loop component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Published: 2026-06-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the sqlo_try_in_loop component of openlink virtuoso-opensource version 7.2.11 allows an attacker to send crafted SQL statements that cause the database server to hang and become unresponsive. This is an example of uncontrolled resource consumption caused by unchecked input (CWE-606), and it also provides a vector for SQL injection (CWE-89). The outcome is loss of service availability for any applications relying on the database, potentially disrupting business operations.

Affected Systems

The openlink virtuoso-opensource product version 7.2.11 is affected. No other versions or distributions are listed in the provided data.

Risk and Exploitability

The CVSS score is 7.5, no EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation. The likely attack vector is any client that can send SQL commands to the connection to the Virtuoso engine. The impact is limited to service availability, with confidentiality and integrity remaining intact. The severity suggests that a successful attack could disrupt applications that rely on the database and could be mitigated by limiting access or applying a patch.

Generated by OpenCVE AI on June 24, 2026 at 14:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest supported release of openlink virtuoso-opensource that includes the fix for this vulnerability.
  • If a patch is not yet available, isolate the database server from unauthenticated network traffic by configuring firewall rules or access control lists to allow only trusted hosts.
  • Configure Virtuoso to enforce reasonable timeouts and resource limits for SQL queries to reduce the risk of a single request monopolizing the server.

Generated by OpenCVE AI on June 24, 2026 at 14:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openlink
Openlink virtuoso-opensource
Vendors & Products Openlink
Openlink virtuoso-opensource

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in Virtuoso's sqlo_try_in_loop Component virtuoso-opensource: virtuoso-opensource: Denial of Service via crafted SQL statements in sqlo_try_in_loop
Weaknesses CWE-606
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 24 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in Virtuoso's sqlo_try_in_loop Component

Wed, 24 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Injection in Virtuoso OpenSource

Wed, 24 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Injection in Virtuoso OpenSource

Tue, 23 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso sqlo_try_in_loop
Weaknesses CWE-20
CWE-770

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso sqlo_try_in_loop
Weaknesses CWE-20
CWE-770

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description An issue in the sqlo_try_in_loop component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
References

Subscriptions

Openlink Virtuoso-opensource
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-23T17:51:55.443Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61024

cve-icon Vulnrichment

Updated: 2026-06-23T17:51:44.876Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T00:00:00Z

Links: CVE-2025-61024 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:07:05Z

Weaknesses
  • CWE-606

    Unchecked Input for Loop Condition

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')