CVE-2026-41457
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling. Attackers can inject arbitrary SQL expressions via the query= and filter= parameters for integer-mapped DAAP fields.
Risk Assessment
The risk involves bypassing filters and gaining unauthorized access to media library data, potentially leading to exposure of sensitive information.
Recommendation
It is recommended to immediately upgrade OwnTone Server to a version later than 29.0, which includes a fix for the SQL injection vulnerability.
Original NVD description (English source)
OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.

