Primary

Context

OwnTone Server SQL Injection Vulnerability in DAAP Query and Filter Handling

Vulnerability

A SQL injection vulnerability has been identified in OwnTone Server versions 28.4 prior to 29.1. This vulnerability arises in the handling of DAAP query and filter parameters, allowing attackers to inject arbitrary SQL expressions. The exploitation involves supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. The vulnerability is due to inadequate sanitization of these parameters, which can be exploited to bypass filters and gain unauthorized access to media library data.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate SQL queries to access or modify database information. In this case, it could lead to unauthorized access to media library data.

Remediation

Users can update to OwnTone Server version 29.1 or later, where this vulnerability has been patched.

Added: Apr 22, 2026, 3:27 AM

Updated: Apr 22, 2026, 3:27 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

8.1

remediation

0.0

relevance

6.2

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

8.1

remediation

0.0

relevance

6.2

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OwnTone Server SQL Injection Vulnerability in DAAP Query and Filter Handling

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating