📄 Lyrion Music Server 9.2.0 search Cross Site Scripting

6.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Lyrion Music Server version 9.2.0 has advanced search parameters that are stuffed back into the page so the form keeps its values. Several free-text fields do not apply filtering, resulting in reflected cross site scripting...

Visit Original Source

Basic Information

ID PACKETSTORM:222812

Published Jun 5, 2026 at 00:00

Affected Product

Affected Versions Lyrion Music Server 9.2.0 (search.*) Multiple Script Insertions

Vendor: LMS Community
Product web page: https://www.lyrion.org
Affected version 9.2.0

Summary: Lyrion Music Server (formerly Logitech Media Server, and
often abbreviated as "LMS" ) is open-source software which can control
and serve (stream) music to a wide range of physical and virtual audio
players called Squeezeboxes. Lyrion Music Server can stream your local
music collection, internet radio stations, and content from many streaming
services (with and without subscriptions).

Desc: Advanced-search parameters (search.*) are stuffed back into the
page so the form keeps its values. Most fields apply | html, but several
free-text fields do not, resulting in reflected XSS.

Tested on: Windows 10 (64-bit) - EN
Lyrion Music Server (9.2.0 - 1779973211)
Perl/5.32.1
SQLite

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2026-5993
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5993
CVE ID: CVE-2026-50235
CVE URL: https://www.cve.org/CVERecord?id=CVE-2026-50235

27.05.2026

--

http://localhost:9000/advanced_search.html?{PARAM}={XSS PAYLOAD}

- search.comments_value={XSS PAYLOAD}
- search.filesize={XSS PAYLOAD}
- search.lyrics={XSS PAYLOAD}
- search.url={XSS PAYLOAD}

{
    "lastseen": "2026-06-05T18:14:38",
    "description": "Lyrion Music Server version 9.2.0 has advanced search parameters that are stuffed back into the page so the form keeps its values. Several free-text fields do not apply filtering, resulting in reflected cross site scripting...",
    "published": "2026-06-05T00:00:00",
    "modified": "2026-06-05T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Lyrion Music Server 9.2.0 search Cross Site Scripting",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:222812",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-50235"
    ],
    "sourceData": "Lyrion Music Server 9.2.0 (search.*) Multiple Script Insertions\n    \n    \n    Vendor: LMS Community\n    Product web page: https://www.lyrion.org\n    Affected version 9.2.0\n    \n    Summary: Lyrion Music Server (formerly Logitech Media Server, and\n    often abbreviated as \"LMS\" ) is open-source software which can control\n    and serve (stream) music to a wide range of physical and virtual audio\n    players called Squeezeboxes. Lyrion Music Server can stream your local\n    music collection, internet radio stations, and content from many streaming\n    services (with and without subscriptions).\n    \n    Desc: Advanced-search parameters (search.*) are stuffed back into the\n    page so the form keeps its values. Most fields apply | html, but several\n    free-text fields do not, resulting in reflected XSS.\n    \n    Tested on: Windows 10 (64-bit) - EN\n               Lyrion Music Server (9.2.0 - 1779973211)\n               Perl/5.32.1\n               SQLite\n    \n    \n    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\n                                @zeroscience\n    \n    \n    Advisory ID: ZSL-2026-5993\n    Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5993\n    CVE ID: CVE-2026-50235\n    CVE URL: https://www.cve.org/CVERecord?id=CVE-2026-50235\n    \n    \n    27.05.2026\n    \n    --\n    \n    \n    http://localhost:9000/advanced_search.html?{PARAM}={XSS PAYLOAD}\n    \n    - search.comments_value={XSS PAYLOAD}\n    - search.filesize={XSS PAYLOAD}\n    - search.lyrics={XSS PAYLOAD}\n    - search.url={XSS PAYLOAD}",
    "sourceHref": "https://packetstorm.news/download/222812",
    "cvss": {
        "score": 6.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/222812/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Lyrion Music Server 9.2.0 search Cross Site Scripting_PACKETSTORM:222812

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply