CVE-2025-61028
An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via craft
CVSS
7.5
Alto
EPSS
0.5%
p38
KEV
—
Exploit Today
12
0-100
Publicado: 23 jun 2026 · Última mod.: 15 jul 2026 · CWE-89 · CWE-770
0.5%EPSS · 30 días0.5%
2026-06-302026-07-17
An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- github.comhttps://github.com/openlink/virtuoso-opensource/issues/1233
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2025-61028
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2491830
- github.comhttps://github.com/openlink/virtuoso-opensource/issues/1233
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61028.json
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-422089.8 CRÍ99.7%
KEV—80BerriAI LiteLLM SQL Injection Vulnerability3dCVE-2020-249139.8 CRÍ98.5%
——30A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.10dCVE-2026-217107.5 ALT97.8%
——29A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.
When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.
* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**3dCVE-2026-479927.2 ALT97.1%
——29Adobe Commerce is affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to execute malicious SQL commands, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction.3dCVE-2022-366358.8 ALT96.7%
——29ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.9dCVE-2023-409316.5 MED95.5%
——29A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php9d