CVE-2026-41458 is a high-severity vulnerability in OwnTone Server versions 28.4 through 29.0. The vulnerability is caused by a race condition in the DAAP login handler, which allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service con [truncated]
CVE-2026-41457 is a SQL injection vulnerability in OwnTone Server versions 28.4 through 29.0. The vulnerability is located in the DAAP query and filter handling, allowing attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. This vulnerability allows attackers to bypass filters and gain unauthorized access to m [truncated]