QwikSec

Security Database

CVE

CWE

Training

CVE-2026-41457

Published: Apr 22, 2026

Modified: Apr 22, 2026

PUBLISHED

Description

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.

Vendor	Product	Versions
owntone	owntone-server	affected `28.4.0 - < 29.1.0` unaffected `d4784ebf2099ed1a4203333aee957e5c7553c217`

Weaknesses (CWE)

References

https://github.com/owntone/owntone-server/commit/d4784ebf2099ed1a4203333aee957e5c7553c217

patch

https://www.vulncheck.com/advisories/owntone-server-sql-injection-via-query-and-filter-parameters

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.