CVE-2026-50230: Lyrion Music Server 9.2.0 Unauthenticated XSS in server.log Endpoint
Lyrion Music Server version 9.2.0 has a cross-site scripting (XSS) vulnerability in its server logging endpoint. An attacker can craft a malicious URL containing JavaScript code and trick a user into clicking it. When the user visits the link, the JavaScript runs in their browser with the same permissions as the Lyrion application, potentially allowing the attacker to steal session cookies, redirect the user, or perform actions on their behalf. No authentication is required to exploit this vulnerability, making it accessible to anyone who can send a link to a target user.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search parameter to execute code in users' browsers within the context of the affected application.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-50230 is a reflected cross-site scripting (CWE-79) vulnerability affecting Lyrion Music Server 9.2.0. The server.log endpoint fails to sanitize the search parameter before reflecting user input back into the HTML response. An unauthenticated attacker can inject arbitrary HTML and JavaScript into this parameter, which executes in the context of a victim's browser session. The vulnerability has a CVSS 3.1 score of 6.1 (MEDIUM), with a network attack vector, low attack complexity, no privilege requirements, and a requirement for user interaction. The scope changes (S:C) because the JavaScript executes within the application context rather than being confined to it.
Business impact
A successful exploitation could allow attackers to harvest user session tokens or credentials, redirect users to phishing sites, or perform unauthorized actions within the Lyrion application on behalf of compromised users. While the vulnerability requires user interaction (clicking a malicious link), the ease of social engineering and the unauthenticated nature of the endpoint mean this poses a genuine risk to any organization relying on Lyrion for music streaming. The medium severity rating reflects the need for user action, but the lack of authentication requirements and potential for widespread distribution of malicious links elevates practical risk.
Affected systems
Lyrion Music Server 9.2.0 is confirmed affected. Organizations running this version should assume all instances are vulnerable. Determine whether later versions address this issue by consulting Lyrion's official security advisories and release notes. The vulnerability affects the server.log endpoint specifically, meaning any feature or integration that exposes this endpoint to end users amplifies exposure.
Exploitability
The vulnerability is relatively easy to exploit from a technical standpoint—constructing a malicious URL requires only basic knowledge of JavaScript injection. However, successful attacks depend on social engineering to convince users to click the link. The lack of authentication is a significant aggravating factor; attackers do not need compromised credentials or insider access. The attack surface is broad because the endpoint is unauthenticated. Public-facing Lyrion instances are at higher risk than internal deployments, though the latter can still be targeted through phishing. No public exploit code is known at this time, and the vulnerability is not tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, but that status may change.
Remediation
Upgrade Lyrion Music Server to a patched version that sanitizes the search parameter in the server.log endpoint. Verify the exact patched version against Lyrion's official security advisory. Until patching is possible, apply input validation and output encoding at the application level if available, or restrict network access to the server.log endpoint to trusted internal networks only. Additionally, educate users to avoid clicking suspicious links, particularly those containing unfamiliar URL parameters or encoded content.
Patch guidance
Contact Lyrion's support or visit their security advisories to identify the patched version for your deployment. Once a patch is available, apply it to all instances of Lyrion Music Server 9.2.0 in your environment. Test the patch in a staging environment first to confirm compatibility with your configurations and integrations. If immediate patching is not feasible, prioritize restricting network access to the server.log endpoint and monitor for suspicious search parameter values in server logs.
Detection guidance
Monitor access logs for the server.log endpoint, particularly requests containing suspicious search parameters with JavaScript syntax (script tags, event handlers like onerror or onload, encoded payloads). Look for unusual URL patterns, Base64-encoded content, or hexadecimal encoding in the search parameter. Implement web application firewalls (WAF) rules to block requests containing common XSS payloads. Track user reports of unexpected browser behavior or redirects when accessing Lyrion. Review browser console logs and network requests from client machines for evidence of script execution or exfiltration attempts.
Why prioritize this
Although the CVSS score is MEDIUM (6.1), prioritize this vulnerability for patching because it requires no authentication, affects a shared service endpoint, and can be exploited via social engineering at scale. XSS vulnerabilities are among the most common web application flaws and, while this one requires user interaction, the attack vector is network-based and easy to automate in phishing campaigns. Organizations with externally accessible Lyrion instances should treat this as higher priority than the base score suggests.
Risk score, explained
The CVSS 3.1 score of 6.1 reflects a MEDIUM severity reflecting the network attack vector (AV:N), low attack complexity (AC:L), no privilege requirements (PR:N), and the requirement for user interaction (UI:R). Confidentiality and integrity are rated as LOW (C:L, I:L) because the attacker gains access only to what the victim can access and can modify the victim's session, but not the server itself. Availability is not impacted (A:N). The scope change (S:C) indicates the impact extends beyond the vulnerable component itself. This score is appropriate, but real-world risk may be higher if the application handles sensitive data or is exposed to large user populations.
Frequently asked questions
Is Lyrion Music Server 9.2.0 the only affected version?
According to available information, version 9.2.0 is confirmed vulnerable. Other versions may be affected; consult Lyrion's official security advisory to determine the full range of vulnerable versions and which versions contain fixes.
Can this vulnerability be exploited without a user clicking a link?
No. The vulnerability is a reflected XSS, meaning the malicious payload must be in the URL and the user must visit that URL for the script to execute. The attacker cannot inject code persistently into the server or force automatic execution without user action.
What data can an attacker steal through this vulnerability?
An attacker can steal or misuse anything accessible to the victim's browser session, including session tokens, cached data, and music preferences. If the victim has administrator privileges, the attacker could perform administrative actions. The actual impact depends on what Lyrion stores and what permissions the victim has.
Does my organization need to patch immediately if Lyrion is internal-only?
Internal deployments are lower risk than public-facing instances, but you should still patch promptly. Attackers can still exploit the vulnerability through phishing or insider threats. Restricting network access to trusted segments while awaiting a patch can reduce risk, but patching remains the proper remediation.
This analysis is based on the CVE record and publicly available information as of June 2026. No exploit code or proof-of-concept is provided. Always verify patch availability and compatibility against the vendor's official security advisories before deploying updates. The CVSS score reflects standardized metrics; your organization's actual risk depends on exposure, data sensitivity, and user population. Security researchers and vendors are encouraged to report additional details to improve threat intelligence. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1