Description
An issue in the t_set_push component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Published: 2026-06-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue in the t_set_push component of the Virtuoso OpenSource database (v7.2.11) allows attackers to trigger a Denial of Service by submitting specially crafted SQL statements. The flaw leads to the database engine becoming unresponsive or crashing, disabling legitimate database operations for applications that depend on the instance and resulting in a loss of availability. The weakness stems from a SQL injection vulnerability (CWE-89).

Affected Systems

Vulnerable systems are installations of Openlink Virtuoso OpenSource version 7.2.11. No other vendors or product variants are identified from the available data.

Risk and Exploitability

The vulnerability can be exploited by transmitting malicious SQL to the t_set_push handler. Precise attack prerequisites are not listed, but it is inferred that network access to the database server is required. The CVSS score of 7.5 indicates moderately high severity, while the EPSS score of < 1% indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, so no indications of active exploitation are known.

Generated by OpenCVE AI on June 25, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Virtuoso OpenSource to a patched version that addresses the t_set_push DoS flaw.
  • Restrict database access so that only trusted users can submit queries, enforcing least‑privilege permissions on database roles.
  • Configure network firewalls to allow inbound traffic to the database port only from trusted networks, limiting the attack surface for crafted SQL submissions.

Generated by OpenCVE AI on June 25, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Thu, 25 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-400

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in t_set_push of Virtuoso OpenSource virtuoso-opensource: openlink virtuoso-opensource: Denial of Service via crafted SQL statements
Weaknesses CWE-89
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openlink
Openlink virtuoso-opensource
Vendors & Products Openlink
Openlink virtuoso-opensource

Wed, 24 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in t_set_push of Virtuoso OpenSource
Weaknesses CWE-20
CWE-400

Wed, 24 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Openlink Virtuoso t_set_push
Weaknesses CWE-400
CWE-89

Wed, 24 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Openlink Virtuoso t_set_push
Weaknesses CWE-400
CWE-89

Wed, 24 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via crafted SQL in t_set_push component of Openlink Virtuoso 7.2.11
Weaknesses CWE-89

Wed, 24 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via crafted SQL in t_set_push component of Openlink Virtuoso 7.2.11
Weaknesses CWE-89

Tue, 23 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in Virtuoso OpenSource t_set_push Component
Weaknesses CWE-400
CWE-770

Tue, 23 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in Virtuoso OpenSource t_set_push Component
Weaknesses CWE-400
CWE-770

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An issue in the t_set_push component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
References

Subscriptions

Openlink Virtuoso-opensource
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-25T16:34:23.588Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61027

cve-icon Vulnrichment

Updated: 2026-06-25T16:33:55.321Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T00:00:00Z

Links: CVE-2025-61027 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T18:30:14Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')