Lyrion Music Server 9.2.0 exposes an unauthenticated reflected cross‑site scripting flaw in its server.log endpoint that allows an attacker to inject arbitrary HTML and JavaScript into the search query. A crafted URL can cause victim browsers to execute the payload in the context of the application, and based on the description it is inferred that this could lead to cookie theft, session hijacking or defacement. The CVSS base score of 5.1 indicates a moderate severity impact for confidentiality, integrity, and availability of user accounts but does not constitute a remote code execution or denial‑of‑service vulnerability.

The affected product is Lyrion Music Server community edition, specifically version 9.2.0. No other revisions or editions are listed as vulnerable.

The vulnerability can be exploited by any user who can open the server.log URL with a malicious search parameter, as it requires no authentication. Because the flaw relies on client‑side execution in browsers, the risk is confined to users who visit a crafted link. The EPSS score is unavailable and the issue is not listed in the CISA KEV catalog, suggesting that widespread, targeted exploitation has not yet been documented. Nevertheless, the moderate CVSS score and the ease of crafting a malicious URL mean that administrators should treat it as a legitimate threat.