{"id":60211,"date":"2026-06-05T13:46:28","date_gmt":"2026-06-05T13:46:28","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=60211"},"modified":"2026-06-05T13:46:28","modified_gmt":"2026-06-05T13:46:28","slug":"lyrion-music-server-920-serverlog-reflected-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=60211","title":{"rendered":"\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting_PACKETSTORM:222802"},"content":{"rendered":"

{“lastseen”:”2026-06-05T18:16:29″,”description”:”Lyrion Music Server version 9.2.0 suffers from an unauthenticated reflected cross site scripting vulnerability through server.log endpoint abusing the search GET parameter. Input is not properly sanitized before being returned to the user, allowing the…”,”published”:”2026-06-05T00:00:00″,”modified”:”2026-06-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:222802″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-50230″],”sourceData”:”Lyrion Music Server 9.2.0 (server.log) Unauthenticated Reflected XSS\\n \\n \\n Vendor: LMS Community\\n Product web page: https:\/\/www.lyrion.org\\n Affected version 9.2.0\\n \\n Summary: Lyrion Music Server (formerly Logitech Media Server, and\\n often abbreviated as \\”LMS\\” ) is open-source software which can control\\n and serve (stream) music to a wide range of physical and virtual audio\\n players called Squeezeboxes. Lyrion Music Server can stream your local\\n music collection, internet radio stations, and content from many streaming\\n services (with and without subscriptions).\\n \\n Desc: Lyrion Music Server suffers from an unauthenticated reflected cross-site\\n scripting vulnerability through ‘server.log’ endpoint abusing the ‘search’ GET\\n parameter. Input is not properly sanitized before being returned to the user,\\n allowing the execution of arbitrary HTML\/JS code in a user’s browser session\\n in the context of the affected site.\\n \\n Tested on: Windows 10 (64-bit) – EN\\n Lyrion Music Server (9.2.0 – 1779973211)\\n Perl\/5.32.1\\n SQLite\\n \\n \\n Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic\\n @zeroscience\\n \\n \\n Advisory ID: ZSL-2026-5988\\n Advisory URL: https:\/\/www.zeroscience.mk\/#\/advisories\/ZSL-2026-5988\\n CVE ID: CVE-2026-50230\\n CVE URL: https:\/\/www.cve.org\/CVERecord?id=CVE-2026-50230\\n \\n \\n 27.05.2026\\n \\n –\\n \\n \\n http:\/\/localhost:9000\/server.log?search=\\”\\u003e\\u003cscript\\u003econfirm(251)\\u003c\/script\\u003e”,”sourceHref”:”https:\/\/packetstorm.news\/download\/222802″,”cvss”:{“score”:6.1,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/222802\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-06-05T18:16:29″,”description”:”Lyrion Music Server version 9.2.0 suffers from an unauthenticated reflected cross site scripting vulnerability through server.log endpoint abusing the search GET parameter. Input is not…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,31,12,21,13,53,7,11,5],"class_list":["post-60211","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-61","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting_PACKETSTORM:222802 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=60211\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting_PACKETSTORM:222802 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-06-05T18:16:29″,”description”:”Lyrion Music Server version 9.2.0 suffers from an unauthenticated reflected cross site scripting vulnerability through server.log endpoint abusing the search GET parameter. Input is not...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=60211\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-05T13:46:28+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60211#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60211\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting_PACKETSTORM:222802\",\"datePublished\":\"2026-06-05T13:46:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60211\"},\"wordCount\":397,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-6.1\",\"exploit\",\"MEDIUM\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=60211#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60211\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60211\",\"name\":\"\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting_PACKETSTORM:222802 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-05T13:46:28+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60211#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=60211\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60211#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting_PACKETSTORM:222802\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting_PACKETSTORM:222802 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=60211","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting_PACKETSTORM:222802 - zero redgem","og_description":"{“lastseen”:”2026-06-05T18:16:29″,”description”:”Lyrion Music Server version 9.2.0 suffers from an unauthenticated reflected cross site scripting vulnerability through server.log endpoint abusing the search GET parameter. Input is not...","og_url":"https:\/\/zero.redgem.net\/?p=60211","og_site_name":"zero redgem","article_published_time":"2026-06-05T13:46:28+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=60211#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=60211"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting_PACKETSTORM:222802","datePublished":"2026-06-05T13:46:28+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=60211"},"wordCount":397,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-6.1","exploit","MEDIUM","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=60211#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=60211","url":"https:\/\/zero.redgem.net\/?p=60211","name":"\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting_PACKETSTORM:222802 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-05T13:46:28+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=60211#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=60211"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=60211#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting_PACKETSTORM:222802"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/60211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=60211"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/60211\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=60211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=60211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=60211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}