CVE Catalog

CVE-2026-41457

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile - higher than 19% of all known CVEs

Summary

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling. Attackers can inject arbitrary SQL expressions via the query= and filter= parameters for integer-mapped DAAP fields.

Risk Assessment

The risk involves bypassing filters and gaining unauthorized access to media library data, potentially leading to exposure of sensitive information.

Recommendation

It is recommended to immediately upgrade OwnTone Server to a version later than 29.0, which includes a fix for the SQL injection vulnerability.

Original NVD description (English source)

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS