CVE-2026-41457

EUVD-2026-24585
OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
VulnCheckCNA
6.9 MEDIUM
NETWORK
LOW
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
owntone_projectowntone
28.4.0 ≤
𝑥
< 29.1.0
CNA
Common Weakness Enumeration
References
https://github.com/owntone/owntone-server/commit/d4784ebf2099ed1a4203333aee957e5c7553c217
https://www.vulncheck.com/advisories/owntone-server-sql-injection-via-query-and-filter-parameters