Owntone Server
Sign in to watchby Owntone
Source repositories
CVEs (9)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-44560 | Cri | 0.64 | 9.8 | 0.00 | Apr 10, 2026 | owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking. | |
| CVE-2026-41458 | Hig | 0.53 | — | 0.00 | Apr 22, 2026 | OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication. | |
| CVE-2026-26829 | Hig | 0.49 | 7.5 | 0.01 | Mar 23, 2026 | A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server. | |
| CVE-2026-26828 | Hig | 0.49 | 7.5 | 0.00 | Mar 23, 2026 | A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server | |
| CVE-2026-41457 | Med | 0.45 | — | 0.00 | Apr 22, 2026 | OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data. | |
| CVE-2025-63647 | 0.00 | — | 0.00 | Jan 20, 2026 | A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. | ||
| CVE-2025-63648 | 0.00 | — | 0.00 | Jan 20, 2026 | A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. | ||
| CVE-2025-57156 | 0.00 | — | 0.00 | Jan 20, 2026 | NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash). | ||
| CVE-2025-57155 | 0.00 | — | 0.00 | Jan 20, 2026 | NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. |