{“lastseen”:”2026-06-05T18:50:34″,”description”:”Summary Lyrion Music Server formerly Logitech Media Server, and often abbreviated as \\”LMS\\” is open-source software which can control and serve stream music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server…”,”published”:”2026-06-05T00:00:00″,”modified”:”2026-06-05T00:00:00″,”type”:”zeroscience”,”title”:”Lyrion Music Server 9.2.0 (server.log) Unauthenticated Stored XSS”,”source”:””,”references”:””,”id”:”ZSL-2026-5989″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-50231″],”sourceData”:”\\u003chtml\\u003e\\u003cbody\\u003e\\u003cp\\u003eLyrion Music Server 9.2.0 (server.log) Unauthenticated Stored XSS\\n\\n\\nVendor: LMS Community\\nProduct web page: https:\/\/www.lyrion.org\\nAffected version 9.2.0\\n\\nSummary: Lyrion Music Server (formerly Logitech Media Server, and\\noften abbreviated as \\”LMS\\” ) is open-source software which can control\\nand serve (stream) music to a wide range of physical and virtual audio\\nplayers called Squeezeboxes. Lyrion Music Server can stream your local\\nmusic collection, internet radio stations, and content from many streaming\\nservices (with and without subscriptions).\\n\\nDesc: The log viewer reflects request parameters and raw log content into\\nHTML with no escaping. Template Toolkit has no global auto-escaping so any\\n[% var %] without an explicit | html filter is an injection point. The search,\\nlines and path query parameters are reflected directly, and log lines are\\nemitted as raw HTML. Any attacker-provided value that gets logged (a crafted\\nURL, User-Agent, stream title, player name) becomes stored XSS.\\n\\n============================================================================\\n\/HTML\/EN\/log.html\\n——————-\\n85: \\u003cinput …=\\”\\” id=\\”search\\” name=\\”search\\” type=\\”text\\” value=\\”[% search %]\\”\/\\u003e\\n98: \\u003cspan\\u003e\\u003ca href=\\”\/[% path %]?zip=1\\”\\u003e[% \\”DOWNLOAD\\” | string %]\\u003c\/a\\u003e\\u003c\/span\\u003e\\n100: \\u003cinput id=\\”lines\\” name=\\”lines\\” type=\\”hidden\\” value=\\”[% lines %]\\”\/\\u003e\\n103: \\u003c\/p\\u003e\\u003cpre\\u003e[% logLines %]\\u003c\/pre\\u003e\\n\\n\\n\/Slim\/Web\/Pages\/Common.pm (logFile)\\n————————————\\n508: my $search = $params-\\u0026gt;{search};\\n… $line = \\”\\u003cspan style=’\\\\\\”color:red\\\\\\”‘\\u003e$line\\u003c\/span\\u003e\\” if …;\\n549: return Slim::Web::HTTP::filltemplatefile(\\”log.html\\”, $params);\\n============================================================================\\n\\nTested on: Windows 10 (64-bit) – EN\\n Lyrion Music Server (9.2.0 – 1779973211)\\n Perl\/5.32.1\\n SQLite\\n\\n\\nVulnerability discovered by Gjoko ‘LiquidWorm’ Krstic\\n @zeroscience\\n\\n\\nAdvisory ID: ZSL-2026-5989\\nAdvisory URL: https:\/\/www.zeroscience.mk\/#\/advisories\/ZSL-2026-5989\\nCVE ID: CVE-2026-50231\\nCVE URL: https:\/\/www.cve.org\/CVERecord?id=CVE-2026-50231\\n\\n\\n27.05.2026\\n\\n–\\n\\n\\nhttp:\/\/localhost:9000\/imageproxy\/file:\/\/\/\/Zero%20Science%20Lab%20is%3Cscript%3Econfirm(%22Awesome!%22)%3C\/script%3E\\n\\nViewing log at http:\/\/localhost:9000\/server.log:\\n…\\n…\\n[26-05-29 14:32:44.5987] Slim::Web::ImageProxy::__ANON__ (376) Artwork resize for imageproxy\/file:\/\/\/\/Zero Science Lab is failed\\n…\\n\\u003c\/body\\u003e\\u003c\/html\\u003e”,”sourceHref”:”https:\/\/www.zeroscience.mk\/codes\/lyrion_storedxss.txt”,”cvss”:{“score”:7.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.zeroscience.mk\/advisories\/ZSL-2026-5989.html”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-05T18:50:34″,”description”:”Summary Lyrion Music Server formerly Logitech Media Server, and often abbreviated as \\”LMS\\” is open-source software which can control and serve stream music to a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,39,12,15,13,7,11,5,107],"class_list":["post-60317","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-72","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability","tag-zeroscience"],"yoast_head":"\n