CVE-2026-50231: Lyrion Music Server 9.2.0 Unauthenticated Stored XSS in Log Viewer
Lyrion Music Server version 9.2.0 contains a stored cross-site scripting (XSS) vulnerability in its log viewer that allows attackers to inject malicious JavaScript without authentication. The vulnerability exists because the application fails to properly escape template variables, allowing crafted input to be permanently stored and executed in the browsers of users who view the logs. Attackers can inject payloads through multiple vectors including search parameters, log line numbers, file paths, or by manipulating values that the server naturally logs such as HTTP headers, stream titles, and player names.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Lyrion Music Server 9.2.0 contains an unauthenticated stored cross-site scripting vulnerability in the log viewer that allows attackers to inject malicious scripts by exploiting unescaped template variables. Attackers can inject XSS payloads through search, lines, and path query parameters or by crafting values that get logged such as URLs, User-Agent headers, stream titles, or player names to execute arbitrary scripts in users' browsers.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is a stored XSS (CWE-79) flaw in Lyrion Music Server 9.2.0's log viewer functionality. Unauthenticated attackers can exploit unescaped template variables by submitting malicious JavaScript through the query parameters 'search', 'lines', and 'path', or by controlling logged values such as User-Agent headers, stream titles, or player names. Because the injected scripts are persisted in logs and executed client-side when logs are viewed, any user accessing the log viewer becomes a potential victim. The attack vector is network-based with low complexity and requires no privilege or user interaction beyond viewing a crafted or compromised log entry.
Business impact
A successful exploit allows attackers to execute arbitrary JavaScript in the context of users' Lyrion Music Server web interface sessions. This can lead to session hijacking, credential theft, malware distribution, defacement of the music server interface, or lateral movement into the organization's network if users also access other internal systems from the same browser. For music streaming deployments in business or shared environments, this could disrupt service availability and compromise user trust. The unauthenticated nature of the attack significantly increases exposure.
Affected systems
Lyrion Music Server version 9.2.0 is affected. Organizations running this version should inventory deployments, particularly any instances exposed to untrusted networks or accessible from user devices. The vulnerability does not appear to affect other vendor products based on available information, but affected organizations should verify their exact deployment versions against vendor advisories.
Exploitability
The vulnerability is relatively straightforward to exploit. An attacker can craft a malicious URL containing XSS payloads in the search, lines, or path parameters, or can supply crafted values that get logged (such as a stream title or device name containing JavaScript). Since no authentication is required and the attack triggers on log viewer access, the barrier to exploitation is low. However, the attack depends on a victim user visiting the log viewer, which is a minor practical constraint in many deployments.
Remediation
Apply patches from Lyrion Music Server as soon as they become available. Until patching is possible, limit access to the log viewer to trusted users only, restrict network access to the music server's web interface using firewall rules or VPN requirements, and disable or remove the log viewer feature if it is not essential to operations. Sanitize and escape all template variables in the log viewer before rendering them in HTML context.
Patch guidance
Consult the official Lyrion Music Server security advisory and release notes for patched versions addressing CVE-2026-50231. Verify the patch version number against the vendor's official sources. Test patches in a non-production environment before deployment. Given the high CVSS score and unauthenticated attack vector, prioritize patching within 1–2 weeks depending on your environment's exposure risk.
Detection guidance
Monitor web server logs for suspicious log viewer access patterns, including requests with unusual characters or script-like syntax in the 'search', 'lines', or 'path' parameters. Look for logged values (User-Agent, stream titles, player names) that contain HTML or JavaScript tags. Implement Content Security Policy (CSP) headers to restrict inline script execution. Monitor user sessions for unexpected activity following log viewer access. Intrusion detection systems tuned for XSS patterns may catch malicious payloads in query strings or logged metadata.
Why prioritize this
This vulnerability earns high priority due to its CVSS 7.2 score, unauthenticated attack surface, and potential for widespread impact across all log viewer users. The stored nature of the XSS means the payload persists and affects any future user who views the logs, creating a 'blast radius' that extends beyond a single session. For organizations with music servers accessible from user networks or the internet, this should be treated as urgent.
Risk score, explained
The CVSS 3.1 score of 7.2 (HIGH) reflects: network-accessible attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction needed for the attack itself (UI:N), scope change (S:C) allowing impact beyond the vulnerable application, and low impact on confidentiality and integrity (C:L, I:L). The absence of availability impact (A:N) prevents a higher score, but the combination of unauthenticated access, ease of exploitation, and cross-site execution capability justifies the HIGH severity rating.
Frequently asked questions
Can this vulnerability be exploited if the music server is only accessible on an internal network?
Yes. While internal-only deployments reduce exposure, any user with access to the log viewer can be compromised. Internal attackers or compromised internal accounts can still inject XSS payloads. Additionally, if users access the server from personal devices that also browse the public internet, the stolen session cookies or credentials could be exfiltrated to external attackers.
Do I need to have already visited the log viewer for the attack to affect me?
No. The stored XSS payload persists in the logs themselves. The moment you (or any user) visits the log viewer and views a log entry containing a malicious payload, the script executes in your browser. You do not need to have visited the viewer previously.
What should I do if I suspect an XSS payload has been injected into my logs?
Isolate the affected Lyrion Music Server instance if possible, review access logs to identify when the injection occurred and which users may have been affected, change passwords for any user accounts that accessed the server around that time, scan for signs of lateral movement or credential theft, and apply available patches immediately. Consider clearing logs after capturing them for forensic analysis.
Are there workarounds if I cannot patch immediately?
Yes. Implement network-level access controls to restrict who can reach the music server's web interface (firewall rules, VPN requirements, IP whitelisting). Disable the log viewer feature entirely if not needed. Apply Web Application Firewall (WAF) rules to block requests with suspicious characters in query parameters. These are temporary measures and do not replace patching.
This analysis is based on CVE-2026-50231 as of the published and modified dates shown. Patch version numbers and vendor guidance should be verified against official Lyrion Music Server security advisories. This explainer does not constitute a substitute for vendor advisories or professional security assessment. Organizations should assess risk within their own environment and consult with their security teams before implementing mitigations. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)