Lms Community Lyrion Music Server vulnerabilities
6 known vulnerabilities affecting lms_community/lyrion_music_server.
Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-50230P3MEDIUMCVSS 6.1PoCv9.2.02026-06-05
CVE-2026-50230 [MEDIUM] CWE-79 CVE-2026-50230: Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability i
Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search parameter to execute code in users' browsers within the
nvd
CVE-2026-50234P3HIGHCVSS 7.5v9.2.02026-06-05
CVE-2026-50234 [HIGH] CWE-22 CVE-2026-50234: Lyrion Music Server 9.2.0 contains a path traversal vulnerability that allows unauthenticated attack
Lyrion Music Server 9.2.0 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting directory traversal in the web server context. Attackers can manipulate file path parameters to access sensitive files outside the intended directory structure.
nvd
CVE-2026-50233P3MEDIUMCVSS 5.3v9.2.02026-06-05
CVE-2026-50233 [MEDIUM] CWE-548 CVE-2026-50233: Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory
Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the
nvd
CVE-2026-50232P3HIGHCVSS 7.2v9.2.02026-06-05
CVE-2026-50232 [HIGH] CWE-79 CVE-2026-50232: Lyrion Music Server 9.2.0 contains a stored cross-site scripting vulnerability that allows attackers
Lyrion Music Server 9.2.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through media file metadata tags like GENRE, ARTIST, and ALBUM. Attackers can craft files with XSS payloads in metadata tags that execute in the web interface when users view track information or play files, enabling access t
nvd
CVE-2026-50231P3HIGHCVSS 7.2v9.2.02026-06-05
CVE-2026-50231 [HIGH] CWE-79 CVE-2026-50231: Lyrion Music Server 9.2.0 contains an unauthenticated stored cross-site scripting vulnerability in t
Lyrion Music Server 9.2.0 contains an unauthenticated stored cross-site scripting vulnerability in the log viewer that allows attackers to inject malicious scripts by exploiting unescaped template variables. Attackers can inject XSS payloads through search, lines, and path query parameters or by crafting values that get logged such as URLs, User-Agent
nvd
CVE-2026-50235P4MEDIUMCVSS 6.1v9.2.02026-06-05
CVE-2026-50235 [MEDIUM] CWE-79 CVE-2026-50235: Lyrion Music Server 9.2.0 contains a reflected cross-site scripting vulnerability in advanced search
Lyrion Music Server 9.2.0 contains a reflected cross-site scripting vulnerability in advanced search parameters that fail to properly sanitize user input before displaying it in search forms. Attackers can inject malicious scripts through unfiltered search parameters to execute arbitrary JavaScript in users' browsers and steal session information.
nvd