CVE-2026-50230
published 2026-06-05CVE-2026-50230: Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject…
PriorityP335medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
0.32%
24.2th percentile
Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search parameter to execute code in users' browsers within the context of the affected application.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lms_community | lyrion_music_server | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through
ghsa_unreviewed·2026-06-05
CVE-2026-50230 [MEDIUM] CWE-79 Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through
Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search parameter to execute code in users' browsers within the context of the affected application.
VulDB
LMS Community Lyrion Music Server 9.2.0 Parameter server.log Search cross site scripting (ZSL-2026-5988 / EUVD-2026-34829)
vuldb·2026-06-05·CVSS 5.1
CVE-2026-50230 [MEDIUM] LMS Community Lyrion Music Server 9.2.0 Parameter server.log Search cross site scripting (ZSL-2026-5988 / EUVD-2026-34829)
A vulnerability classified as problematic was found in LMS Community Lyrion Music Server 9.2.0. Affected is an unknown function of the file server.log of the component Parameter Handler. The manipulation of the argument Search results in cross site scripting.
This vulnerability was named CVE-2026-50230. The attack may be performed from remote. There is no available exploit.
No detection rules found.
Nuclei
Lyrion Music Server <= 9.2.0 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2026-50230 [MEDIUM] Lyrion Music Server <= 9.2.0 - Cross-Site Scripting
Lyrion Music Server alert(document.domain)'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# digest: 4b0a00483046022100b469b303805231db1ef13d9fa6d61ee678ffe70db927b1a62643dc761856bba3022100a2db7ab84b6b2bc61e9315e9fc9ff3ca2f1c622f6d896bfbfc5b14dbac12b05f:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2026-06-05
Published