Description
An issue in the sqlo_untry component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Published: 2026-06-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue resides in the sqlo_untry component of OpenLink Virtuoso OpenSource 7.2.11. This vulnerability, identified as CWE-89, enables an attacker to trigger a denial of service by submitting crafted SQL statements. The resulting service disruption renders the database unavailable to legitimate users, potentially impacting business operations and applications dependent on the database.

Affected Systems

This vulnerability affects systems running OpenLink Virtuoso OpenSource version 7.2.11. No other products or versions are explicitly identified as impacted, and newer releases may include a fix. Users deploying this exact release should consider remediation actions promptly.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must be able to interact with the database interface—either through an exposed SQL endpoint or an authenticated session—to deliver the malicious query. Successful exploitation results in a denial of service of the database server, potentially affecting all applications relying on it.

Generated by OpenCVE AI on June 24, 2026 at 10:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Virtuoso OpenSource release that contains the sqlo_untry fix, preferably the latest in the 7.2 series
  • Enforce database‑level timeouts, resource quotas, and restrict access to the database server to trusted hosts only
  • Implement sanitization and input validation for all incoming SQL queries, and monitor error logs for repeated failures

Generated by OpenCVE AI on June 24, 2026 at 10:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openlink
Openlink virtuoso-opensource
Vendors & Products Openlink
Openlink virtuoso-opensource

Wed, 24 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in OpenLink Virtuoso OpenSource sqlo_untry Component

Wed, 24 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL Statements in OpenLink Virtuoso OpenSource sqlo_untry Component

Wed, 24 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Denial of Service Vulnerability in Virtuoso sqlo_untry Component

Wed, 24 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Denial of Service Vulnerability in Virtuoso sqlo_untry Component

Tue, 23 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title sqlo_untry Component Denial of Service via Crafted SQL in Virtuoso OpenSource
Weaknesses CWE-770

Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title sqlo_untry Component Denial of Service via Crafted SQL in Virtuoso OpenSource
Weaknesses CWE-770

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description An issue in the sqlo_untry component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
References

Subscriptions

Openlink Virtuoso-opensource
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-23T17:51:13.834Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61029

cve-icon Vulnrichment

Updated: 2026-06-23T17:50:58.684Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:06:40Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')