ArcherSec - Security Researcher - Exploit Intelligence Platform

CVE-2026-26828 WRITEUP HIGH WRITEUP

OwnTone Server - NULL Pointer Dereference

A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server

CVSS 7.5

View Code

CVE-2026-26829 WRITEUP HIGH WRITEUP

owntone-server - DoS

A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server.

CVSS 7.5

View Code

CVE-2026-26829 WRITEUP HIGH WORKING POC

owntone-server - DoS

A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server.

CVSS 7.5

View Code

CVE-2025-57155 WRITEUP HIGH WRITEUP

Owntone Server < 28.2 - NULL Pointer Dereference

NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service.

CVSS 7.5

View Code

CVE-2025-57156 WRITEUP HIGH WRITEUP

Owntone Server < 28.12 - NULL Pointer Dereference

NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash).

CVSS 7.5

View Code

CVE-2025-63647 WRITEUP HIGH WRITEUP

owntone-server <commit 334beb - DoS

A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.

CVSS 7.5

View Code

CVE-2025-63647 WRITEUP HIGH WORKING POC

owntone-server <commit 334beb - DoS

A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.

CVSS 7.5

View Code

CVE-2025-63648 WRITEUP HIGH WRITEUP

owntone-server <b7e385f - DoS

A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server.

CVSS 7.5

View Code

CVE-2025-63649 WRITEUP HIGH WRITEUP

Monkey Commit f37e984 - DoS

An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server.

CVSS 7.5

View Code

CVE-2025-63653 WRITEUP HIGH WRITEUP

Monkey Commit f37e984 - DoS

An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

CVSS 7.5

View Code