Description
Lyrion Music Server 9.2.0 contains a reflected cross-site scripting vulnerability in advanced search parameters that fail to properly sanitize user input before displaying it in search forms. Attackers can inject malicious scripts through unfiltered search parameters to execute arbitrary JavaScript in users' browsers and steal session information.
Published: 2026-06-05
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the advanced search feature of Lyrion Music Server 9.2.0. Search parameters are displayed back to the user without proper escaping, enabling an attacker to inject and execute arbitrary JavaScript in a victim’s browser. This can lead to theft of session cookies, defacement or redirecting users to malicious sites. The flaw is a classic input validation weakness (CWE‑79).

Affected Systems

The only version explicitly mentioned as vulnerable is Lyrion Music Server 9.2.0, part of the LMS Community edition. No other versions or editions are noted in the advisory.

Risk and Exploitability

The advisory assigns a CVSS score of 5.1, indicating a moderate impact, and there is no EPSS score available, so the exploitation probability is unclear. The vulnerability is not listed in the CISA KEV catalog. Attackers need only supply a specially crafted search URL or form submission that contains malicious script; the flaw is reflected immediately in the response presented to the user. If a user opens the crafted link in a browser, the attacker can acquire the victim's session cookies or other sensitive browser data.

Generated by OpenCVE AI on June 5, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Lyrion Music Server to a version where the search parameters are properly sanitized.
  • Apply server‑side input validation and encode all user‑supplied search strings before displaying them back.
  • Enforce a Content Security Policy that disallows inline scripts and restricts script sources to trusted domains.
  • If an update is not possible, disable the advanced search feature or block the affected URLs.

Generated by OpenCVE AI on June 5, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Lyrion
Lyrion lyrion Music Server
Vendors & Products Lyrion
Lyrion lyrion Music Server

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Lyrion Music Server 9.2.0 contains a reflected cross-site scripting vulnerability in advanced search parameters that fail to properly sanitize user input before displaying it in search forms. Attackers can inject malicious scripts through unfiltered search parameters to execute arbitrary JavaScript in users' browsers and steal session information.
Title Lyrion Music Server 9.2.0 Reflected XSS via search Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Lyrion Lyrion Music Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-05T14:30:19.552Z

Reserved: 2026-06-04T10:47:01.275Z

Link: CVE-2026-50235

cve-icon Vulnrichment

Updated: 2026-06-05T14:30:15.948Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T14:16:36.880

Modified: 2026-06-05T14:59:31.207

Link: CVE-2026-50235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:16:49Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')