Description
Lyrion Music Server 9.2.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through media file metadata tags like GENRE, ARTIST, and ALBUM. Attackers can craft files with XSS payloads in metadata tags that execute in the web interface when users view track information or play files, enabling access to management functions and settings disclosure.
Published: 2026-06-05
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross-site scripting flaw that allows an attacker to inject malicious JavaScript into the Lyrion Music Server web interface by embedding payloads in media file metadata tags such as GENRE, ARTIST, and ALBUM. When a user views track information or plays a file, the script executes in the context of the web application, enabling the attacker to gain access to management functions and disclose configuration settings.

Affected Systems

The problem affects the Lyrion Music Server Community edition, specifically version 9.2.0. No other versions are listed in the advisory.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to upload or import a media file containing crafted metadata; once stored, any user who views or plays the track will have the injected code executed in their browser, enabling client-side attack vectors.

Generated by OpenCVE AI on June 5, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Lyrion Music Server release that resolves the stored XSS issue.
  • Implement input validation and output encoding for metadata fields, ensuring script tags or event handlers are stripped or encoded before display.
  • Restrict or sanitize media uploads by disabling edit of metadata tags in the web interface or performing server-side checks to reject files containing script payloads.

Generated by OpenCVE AI on June 5, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Lyrion
Lyrion lyrion Music Server
Vendors & Products Lyrion
Lyrion lyrion Music Server

Fri, 05 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Lyrion Music Server 9.2.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through media file metadata tags like GENRE, ARTIST, and ALBUM. Attackers can craft files with XSS payloads in metadata tags that execute in the web interface when users view track information or play files, enabling access to management functions and settings disclosure.
Title Lyrion Music Server 9.2.0 Stored XSS via Metadata Tags
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Lyrion Lyrion Music Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T17:06:27.555Z

Reserved: 2026-06-04T10:47:01.275Z

Link: CVE-2026-50232

cve-icon Vulnrichment

Updated: 2026-06-08T17:05:58.429Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T14:16:36.363

Modified: 2026-06-08T18:16:34.060

Link: CVE-2026-50232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:16:53Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')