216.73.216.102

CVE-2026-41457

· Published 22/04/2026 03:16 · Modified 22/04/2026 21:21

Labels: CVE-2026-41457 2026-04-22CVE-2026-41457CWE-89[email protected]

Essential information

Published
22/04/2026 03:16
Modified
22/04/2026 21:21
Author
Creator
CVSS
6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
owntone / owntone server cpe:2.3:a:owntone:owntone_server:28.4-29.0:*:*:*:*:*:*:*

References