CVE-2026-41457

UNKNOWN 0.0

OwnTone Server < 29.1 SQL Injection via query and filter Parameters

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.

CWE	CWE-89
Vendor	owntone
Product	owntone-server
Published	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for owntone owntone-server

Be the first to know when new unknown vulnerabilities affecting owntone owntone-server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

owntone / owntone-server

28.4.0 < 29.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/owntone/owntone-server/commit/d4784ebf2099ed1a4203333aee957e5c7553c217 vulncheck.com: https://www.vulncheck.com/advisories/owntone-server-sql-injection-via-query-and-filter-parameters

Credits

Younghyo Cho @ CIS Lab., Seoultech.