Skip to main content

Lyrion Music Server CVE-2026-50235

| EUVD-2026-34834 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-05 VulnCheck GHSA-qpxh-62pf-qh76
XSS Lyrion Music Server
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 05, 2026 - 14:22 NVD
6.1 (MEDIUM) 5.1 (MEDIUM)
Analysis Generated
Jun 05, 2026 - 14:18 vuln.today

DescriptionCVE.org

Lyrion Music Server 9.2.0 contains a reflected cross-site scripting vulnerability in advanced search parameters that fail to properly sanitize user input before displaying it in search forms. Attackers can inject malicious scripts through unfiltered search parameters to execute arbitrary JavaScript in users' browsers and steal session information.

AnalysisAI

Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers via unsanitized advanced search parameters, enabling session token theft and account hijacking with a single user-click interaction. The changed scope (S:C) in the CVSS vector confirms the injected script executes outside the origin of the vulnerable application, amplifying cross-domain impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious search URL with injected JS payload
Delivery
Deliver link to authenticated Lyrion Music Server user via phishing
Exploit
User clicks link, browser submits search request
Execution
Server reflects unsanitized parameter into HTML response
Persist
Injected script executes in victim browser session
Impact
Session token exfiltrated to attacker-controlled endpoint
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker requires no authentication (PR:N from CVSS vector) and no special privileges. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.1 Medium score reflects a realistic but bounded threat: AV:N (network-reachable) and AC:L (no special conditions) indicate easy delivery, PR:N confirms the attacker requires no authentication, but UI:R (user interaction required) is the critical limiting factor - the victim must click a crafted link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL targeting Lyrion Music Server's advanced search endpoint, embedding a JavaScript payload in an unsanitized query parameter, then distributes the link to a target user via phishing email or message. When the user clicks the link and their browser renders the search results page, the injected script executes in their browser session and exfiltrates the session cookie to an attacker-controlled server, granting full account access. …
Remediation No vendor-released patch version was identified in the provided data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50235 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy