ByteOS Network

owntone-server

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-41458

Assigner-VulnCheck

View Details

Assigner-VulnCheck

CVSS Score-8.2||HIGH

EPSS-0.65% / 71.12%

7 Day CHG+0.05%

Published-22 Apr, 2026 | 01:46

Updated-25 May, 2026 | 23:42

OwnTone Server < 29.1 Race Condition DoS via DAAP Login

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

Vendor-owntone

Product-owntone-server

CWE ID-CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVE-2026-41457

Assigner-VulnCheck

View Details

Assigner-VulnCheck

CVSS Score-6.9||MEDIUM

EPSS-0.05% / 16.17%

7 Day CHG~0.00%

Published-22 Apr, 2026 | 01:46

Updated-22 Apr, 2026 | 13:08

OwnTone Server < 29.1 SQL Injection via query and filter Parameters

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.

Vendor-owntone

Product-owntone-server

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')