Filtered by vendor Owntone
Subscriptions
Total
10 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-41457 | 1 Owntone | 1 Owntone-server | 2026-04-22 | N/A |
| OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data. | ||||
| CVE-2026-41458 | 1 Owntone | 1 Server | 2026-04-22 | N/A |
| OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication. | ||||
| CVE-2025-44560 | 1 Owntone | 1 Owntone-server | 2026-04-15 | 9.8 Critical |
| owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking. | ||||
| CVE-2026-26828 | 1 Owntone | 1 Owntone-server | 2026-03-25 | 7.5 High |
| A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server | ||||
| CVE-2026-26829 | 1 Owntone | 1 Owntone-server | 2026-03-25 | 7.5 High |
| A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server. | ||||
| CVE-2025-63647 | 1 Owntone | 2 Owntone-server, Owntone Server | 2026-02-13 | 7.5 High |
| A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. | ||||
| CVE-2021-38383 | 1 Owntone | 1 Owntone Server | 2026-02-13 | 9.8 Critical |
| OwnTone (aka owntone-server) through 28.1 has a use-after-free in net_bind() in misc.c. | ||||
| CVE-2025-57155 | 1 Owntone | 2 Owntone-server, Owntone Server | 2026-02-13 | 7.5 High |
| NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. | ||||
| CVE-2025-63648 | 1 Owntone | 2 Owntone-server, Owntone Server | 2026-02-13 | 7.5 High |
| A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. | ||||
| CVE-2025-57156 | 1 Owntone | 2 Owntone-server, Owntone Server | 2026-02-13 | 7.5 High |
| NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash). | ||||
Page 1 of 1.