Description
An issue in the sslr_qst_get component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Published: 2026-06-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crafted SQL statements targeting the sslr_qst_get component in OpenLink Virtuoso OpenSource version 7.2.11 cause the database server to crash or stop responding, resulting in a denial of service. The underlying weakness is an input validation failure that allows malformed queries to be processed, either exhausting server resources or triggering a fatal error. Although this flaw does not expose data or enable code execution, its effect—unavailability of database services—can disrupt business operations.

Affected Systems

The only affected product listed is OpenLink Virtuoso‑OpenSource version 7.2.11. The vulnerability applies to deployments that expose the sslr_qst_get interface to external or internal clients.

Risk and Exploitability

The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, indicating no publicly known exploits. Based on the description, it is inferred that any client capable of sending crafted SQL to the sslr_qst_get endpoint can trigger the problem, potentially over the network or within the local network. With a CVSS score of 7.5, the risk is moderate‑to‑high; the lack of known active exploits lowers the immediate likelihood, but the availability impact remains significant.

Generated by OpenCVE AI on June 24, 2026 at 11:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Virtuoso stack release that includes the sslr_qst_get fix; verify the release notes for a version newer than 7.2.11.
  • Restrict access to the sslr_qst_get endpoint using firewall rules or network segmentation, allowing only trusted hosts to connect.
  • Configure request throttling, connection limits, and appropriate timeouts on the database or application server to mitigate resource exhaustion by a single client.
  • Monitor database logs for repeated malformed query attempts and generate alerts for anomalous activity to detect potential exploitation attempts early.

Generated by OpenCVE AI on June 24, 2026 at 11:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title virtuoso-opensource: virtuoso-opensource: Denial of Service via crafted SQL statements
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openlink
Openlink virtuoso-opensource
Vendors & Products Openlink
Openlink virtuoso-opensource

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso sslr_qst_get Component

Wed, 24 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso sslr_qst_get Component

Wed, 24 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso OpenSource sslr_qst_get

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso OpenSource sslr_qst_get

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-89
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An issue in the sslr_qst_get component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
References

Subscriptions

Openlink Virtuoso-opensource
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-23T16:56:41.437Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61025

cve-icon Vulnrichment

Updated: 2026-06-23T16:54:18.976Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T00:00:00Z

Links: CVE-2025-61025 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:07:03Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')