{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41457", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-20T16:07:47.310Z", "datePublished": "2026-04-22T01:46:12.354Z", "dateUpdated": "2026-04-22T13:08:55.971Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T01:46:12.354Z"}, "title": "OwnTone Server < 29.1 SQL Injection via query and filter Parameters", "datePublic": "2026-03-08T16:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "affected": [{"vendor": "owntone", "product": "owntone-server", "repo": "https://github.com/owntone/owntone-server", "versions": [{"status": "affected", "version": "28.4.0", "lessThan": "29.1.0", "versionType": "semver"}, {"status": "unaffected", "version": "d4784ebf2099ed1a4203333aee957e5c7553c217", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.<br>"}]}], "references": [{"url": "https://github.com/owntone/owntone-server/commit/d4784ebf2099ed1a4203333aee957e5c7553c217", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/owntone-server-sql-injection-via-query-and-filter-parameters", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Younghyo Cho @ CIS Lab., Seoultech.", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:08:48.183979Z", "id": "CVE-2026-41457", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:08:55.971Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41457", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-20T16:07:47.310Z", "datePublished": "2026-04-22T01:46:12.354Z", "dateUpdated": "2026-04-22T13:08:55.971Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T01:46:12.354Z"}, "title": "OwnTone Server < 29.1 SQL Injection via query and filter Parameters", "datePublic": "2026-03-08T16:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "affected": [{"vendor": "owntone", "product": "owntone-server", "repo": "https://github.com/owntone/owntone-server", "versions": [{"status": "affected", "version": "28.4.0", "lessThan": "29.1.0", "versionType": "semver"}, {"status": "unaffected", "version": "d4784ebf2099ed1a4203333aee957e5c7553c217", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.<br>"}]}], "references": [{"url": "https://github.com/owntone/owntone-server/commit/d4784ebf2099ed1a4203333aee957e5c7553c217", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/owntone-server-sql-injection-via-query-and-filter-parameters", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Younghyo Cho @ CIS Lab., Seoultech.", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41457", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T13:08:48.183979Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:08:52.505Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data."}], "id": "CVE-2026-41457", "lastModified": "2026-04-22T03:16:00.613", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-22T03:16:00.613", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/owntone/owntone-server/commit/d4784ebf2099ed1a4203333aee957e5c7553c217"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/owntone-server-sql-injection-via-query-and-filter-parameters"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[28.4.0,29.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "d4784ebf2099ed1a4203333aee957e5c7553c217"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "owntone-server", "source": "cna", "vendor": "owntone"}, "product": "owntone-server", "vendor": "owntone"}], "analysis": {"en": {"generated_at": "2026-04-22T04:22:56.933188+00:00", "value": {"mitigation_remediation": ["Upgrade OwnTone Server to version 29.1 or later.", "Restrict network access to the DAAP service and disable public access if possible.", "Implement input validation or filter out the query= and filter= parameters using a reverse\u2011proxy or firewall to block injection attempts."], "summary": {"action": "Patch Immediately", "impact": "Data Exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects OwnTone Server software from version 28.4 up to and including 29.0. Only these builds are susceptible; version 29.1 and later are unaffected.", "description_and_impact": "OwnTone Server versions 28.4 through 29.0 include a SQL injection flaw in the handling of DAAP query and filter parameters. The flaw allows attackers to supply crafted values for integer-mapped DAAP fields through the query= and filter= HTTP parameters, bypassing the intended input sanitization and injecting arbitrary SQL expressions. The resulting SQL injection permits unauthorized read access to the media library database, potentially exposing confidential media metadata and file paths.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity. While no EPSS score is publicly available and the vulnerability is not listed in the CISA KEV catalog, the flaw is potentially exploitable remotely over the DAAP interface, assuming the service is reachable by unauthenticated users. Attackers would need to craft malicious query or filter parameters to trigger the injection, making the attack vector likely network\u2011based via the DAAP protocol. The impact is primarily unauthorized data access rather than system compromise."}}}}, "created": "2026-04-22T03:30:06.536756+00:00", "updated": "2026-04-22T04:30:05.300871+00:00", "vendors": ["owntone", "owntone$PRODUCT$owntone-server"]}