EUVD-2026-34832
GHSA-36hm-c9f8-f8xc
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem.
AnalysisAI
Arbitrary filesystem directory listing in Lyrion Music Server 9.2.0 exposes any host directory to remote unauthenticated attackers via the readdirectory query, which accepts an unsandboxed folder parameter with no path restriction. Both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js are affected, presenting a dual-protocol attack surface that requires no credentials in the default configuration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required - the CVSS vector AV:N/AC:L/PR:N/UI:N confirms unauthenticated, low-complexity, remote exploitation against the default configuration of Lyrion Music Server. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.3 Medium with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N reflects network-accessible, unauthenticated, zero-complexity exploitation with low confidentiality impact and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a Lyrion Music Server instance sends an unauthenticated HTTP POST to /jsonrpc.js or connects directly to TCP port 9090 and submits a readdirectory query with the folder parameter set to an arbitrary path such as /etc or /root. The server responds with the full directory listing for that path, requiring no credentials and producing no error. … |
| Remediation | No vendor-released patch or confirmed fixed version has been identified in the available intelligence at time of analysis; organizations should monitor the LMS Community project and the ZeroScience advisory at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5991.php and VulnCheck advisory at https://www.vulncheck.com/advisories/lyrion-music-server-arbitrary-directory-listing for patch availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today