SQL Injection in Owntone Owntone-server

CVE-2026-41457

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parame…

Vulnerability class: SQL Injection

EPSS: 0.001 (16.4th percentile) — read the EPSS interpretation.

Affected products

Owntone Owntone-server — versions 28.4.0, d4784ebf2099ed1a4203333aee957e5c7553c217

Weakness classification (CWE)

CWE-89 — SQL Injection

References

github.com/owntone/owntone-server/commit/d4784ebf2099ed1a4203333aee957e5c7553c2… (patch)
www.vulncheck.com/advisories/owntone-server-sql-injection-via-query-and-filter-… (third-party-advisory)