Lyrion Music Server 9.2.0 (server.log) Unauthenticated Reflected XSS_ZSL-2026-5988

6.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Summary Lyrion Music Server formerly Logitech Media Server, and often abbreviated as "LMS" is open-source software which can control and serve stream music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server...

Visit Original Source

Basic Information

ID ZSL-2026-5988

Published Jun 5, 2026 at 00:00

Affected Product

Affected Versions <html><body><p>Lyrion Music Server 9.2.0 (server.log) Unauthenticated Reflected XSS

Vendor: LMS Community
Product web page: https://www.lyrion.org
Affected version 9.2.0

Summary: Lyrion Music Server (formerly Logitech Media Server, and
often abbreviated as "LMS" ) is open-source software which can control
and serve (stream) music to a wide range of physical and virtual audio
players called Squeezeboxes. Lyrion Music Server can stream your local
music collection, internet radio stations, and content from many streaming
services (with and without subscriptions).

Desc: Lyrion Music Server suffers from an unauthenticated reflected cross-site
scripting vulnerability through 'server.log' endpoint abusing the 'search' GET
parameter. Input is not properly sanitized before being returned to the user,
allowing the execution of arbitrary HTML/JS code in a user's browser session
in the context of the affected site.

Tested on: Windows 10 (64-bit) - EN
Lyrion Music Server (9.2.0 - 1779973211)
Perl/5.32.1
SQLite

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2026-5988
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5988
CVE ID: CVE-2026-50230
CVE URL: https://www.cve.org/CVERecord?id=CVE-2026-50230

27.05.2026

--

http://localhost:9000/server.log?search="><script>confirm(251)</script>
</p></body></html>

{
    "lastseen": "2026-06-05T18:50:40",
    "description": "Summary Lyrion Music Server formerly Logitech Media Server, and often abbreviated as \"LMS\" is open-source software which can control and serve stream music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server...",
    "published": "2026-06-05T00:00:00",
    "modified": "2026-06-05T00:00:00",
    "type": "zeroscience",
    "title": "Lyrion Music Server 9.2.0 (server.log) Unauthenticated Reflected XSS",
    "source": "",
    "references": "",
    "id": "ZSL-2026-5988",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-50230"
    ],
    "sourceData": "<html><body><p>Lyrion Music Server 9.2.0 (server.log) Unauthenticated Reflected XSS\n\n\nVendor: LMS Community\nProduct web page: https://www.lyrion.org\nAffected version 9.2.0\n\nSummary: Lyrion Music Server (formerly Logitech Media Server, and\noften abbreviated as \"LMS\" ) is open-source software which can control\nand serve (stream) music to a wide range of physical and virtual audio\nplayers called Squeezeboxes. Lyrion Music Server can stream your local\nmusic collection, internet radio stations, and content from many streaming\nservices (with and without subscriptions).\n\nDesc: Lyrion Music Server suffers from an unauthenticated reflected cross-site\nscripting vulnerability through 'server.log' endpoint abusing the 'search' GET\nparameter. Input is not properly sanitized before being returned to the user,\nallowing the execution of arbitrary HTML/JS code in a user's browser session\nin the context of the affected site.\n\nTested on: Windows 10 (64-bit) - EN\n           Lyrion Music Server (9.2.0 - 1779973211)\n           Perl/5.32.1\n           SQLite\n\n\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\n                            @zeroscience\n\n\nAdvisory ID: ZSL-2026-5988\nAdvisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5988\nCVE ID: CVE-2026-50230\nCVE URL: https://www.cve.org/CVERecord?id=CVE-2026-50230\n\n\n27.05.2026\n\n--\n\n\nhttp://localhost:9000/server.log?search=\"><script>confirm(251)</script>\n</p></body></html>",
    "sourceHref": "https://www.zeroscience.mk/codes/lyrion_xss.txt",
    "cvss": {
        "score": 6.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.zeroscience.mk/advisories/ZSL-2026-5988.html",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply