ejurgensen

8 exploits Active since Aug 2021
CVE-2026-41457 WRITEUP MEDIUM WRITEUP
OwnTone Server < 29.1 SQL Injection via query and filter Parameters
OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit insufficient sanitization of these parameters to bypass filters and gain unauthorized access to media library data.
CVE-2026-26828 WRITEUP HIGH WRITEUP
OwnTone Server - NULL Pointer Dereference
A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server
CVSS 7.5
CVE-2026-26829 WRITEUP HIGH WRITEUP
owntone-server through c4d57aa - Denial of Service via NULL Pointer Dereference in safe_atou64
A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server.
CVSS 7.5
CVE-2021-38383 WRITEUP CRITICAL WRITEUP
owntone_server < 28.1 - Use-After-Free in net_bind()
OwnTone (aka owntone-server) through 28.1 has a use-after-free in net_bind() in misc.c.
CVSS 9.8
CVE-2025-57155 WRITEUP HIGH WRITEUP
owntone_server < 28.2 - Denial of Service via NULL Pointer Dereference in daap_reply_groups
NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service.
CVSS 7.5
CVE-2025-57156 WRITEUP HIGH WRITEUP
owntone_server < 28.12 - Denial of Service via dacp_reply_playqueueedit_clear NULL Pointer Dereference
NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash).
CVSS 7.5
CVE-2025-63647 WRITEUP HIGH WRITEUP
owntone-server <commit 334beb - DoS
A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.
CVSS 7.5
CVE-2025-63648 WRITEUP HIGH WRITEUP
owntone_server < 29.0 - Denial of Service via DACP Request
A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server.
CVSS 7.5