CVE-2026-50232: Stored XSS in Lyrion Music Server 9.2.0 Metadata
Lyrion Music Server version 9.2.0 has a stored cross-site scripting (XSS) vulnerability that lets attackers embed malicious code into audio file metadata fields such as GENRE, ARTIST, and ALBUM. When users browse or play these files through the web interface, the injected scripts execute in their browser, potentially granting attackers access to server management functions and sensitive configuration details. Unlike reflected XSS attacks that require a specially crafted link, this vulnerability persists in the server's database, affecting any user who interacts with a poisoned media file.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Lyrion Music Server 9.2.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through media file metadata tags like GENRE, ARTIST, and ALBUM. Attackers can craft files with XSS payloads in metadata tags that execute in the web interface when users view track information or play files, enabling access to management functions and settings disclosure.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists because Lyrion Music Server fails to properly sanitize or encode user-controlled input from media file metadata tags before rendering them in the web interface. An attacker can craft an audio file with JavaScript payloads embedded in ID3 tags or similar metadata structures. When the application retrieves and displays these tags—whether in track detail views, playlist displays, or player widgets—the browser interprets the injected script as legitimate code. The CVSS 3.1 score of 7.2 (HIGH) reflects network-based attack feasibility with no authentication required, combined with cross-site scripting's potential for confidentiality and integrity impacts. The vector indicates low attack complexity and no user interaction needed at the network level, though end-user interaction with the web UI is necessary for payload execution.
Business impact
An attacker exploiting this vulnerability could steal session cookies or authentication tokens from administrators, leading to unauthorized access to server management functions. They could also exfiltrate sensitive information such as server configuration, user accounts, library paths, and system details visible in the admin interface. In multi-user deployments, a malicious media file uploaded by one user could compromise the accounts of other users and administrators who interact with it. This creates supply-chain-like risk if media files are shared across trusted users or imported from external sources. Service availability is not directly threatened, but integrity of the media library and administrative trust boundaries are compromised.
Affected systems
Lyrion Music Server version 9.2.0 is confirmed affected. Organizations running this version in either standalone or networked deployments should assume vulnerability exposure. Earlier and later versions have not been confirmed affected by this specific issue; verify against vendor advisories for the full patch scope and timeline.
Exploitability
The attack requires an attacker to craft a malicious media file and have it uploaded to or present on the Lyrion server. This could occur through direct upload by an insider, compromise of a connected media import process, or social engineering of trusted users. Once the file is on the server, no additional attacker interaction is needed—any user browsing the web interface and viewing the poisoned track's metadata triggers execution. This makes it a low-barrier attack once initial file placement is achieved. Public exploit code has not been identified, but the vulnerability is straightforward to weaponize given basic XSS payload knowledge.
Remediation
Apply vendor patches to update Lyrion Music Server beyond version 9.2.0; consult the vendor advisory for minimum patched version. Additionally, implement input validation and output encoding at the application level to sanitize all metadata fields before rendering them in HTML contexts. Consider deploying a Web Application Firewall (WAF) with XSS detection rules as a temporary compensating control while patches are being prepared and tested.
Patch guidance
Contact Lyrion or check their official security advisory for the patched version number and availability. Test patches in a non-production environment first, particularly for media library consistency and playback functionality. After patching, consider re-scanning the media library for any potentially malicious files that may have been added. If patches are not yet available, prioritize restricting web interface access to trusted internal networks and limiting who can upload or manage media files.
Detection guidance
Monitor web server logs for unusual patterns in metadata display requests and look for script tags or JavaScript event handlers in query strings or POST bodies. Check media file metadata using offline tools (e.g., ffprobe, ExifTool) for suspicious content in GENRE, ARTIST, ALBUM, and other tag fields—look for script tags, event handlers, or JavaScript protocol URLs. Review Lyrion server logs for errors or warnings related to metadata parsing. Implement Content Security Policy (CSP) headers to restrict script execution from non-whitelisted sources, which would help prevent injected scripts from running even if they bypass input filtering.
Why prioritize this
This vulnerability rates HIGH severity due to its network-accessible attack surface, lack of authentication requirement, and potential for unauthorized administrative access and data exfiltration. Although it requires file placement and user interaction with the web interface, the combination of persistent storage, ease of exploitation, and high-value target (server administrators) justifies immediate patch deployment. Organizations with public-facing Lyrion instances or shared media libraries should prioritize this above medium-severity issues.
Risk score, explained
The CVSS 3.1 score of 7.2 reflects: (1) Network-based attack vector requiring no special access, (2) Low attack complexity with straightforward payload injection, (3) No authentication requirement for exploitation, (4) Cross-site scope allowing impact beyond the vulnerable application itself, (5) Confidentiality and integrity impacts through session hijacking and data disclosure. The score stops short of Critical (9.0+) because availability is not impacted and the attack does require a file to be present on the server and a user to interact with it.
Frequently asked questions
Can an attacker exploit this without uploading a file to the server?
No. The attacker must first get a malicious media file onto the Lyrion server, either through direct upload, import processes, or placement by an insider. Once present, the payload executes when any user views the file's metadata in the web interface.
Does this vulnerability affect offline or air-gapped Lyrion installations?
If the server has no web interface exposed or no users access it via the network, risk is significantly reduced. However, if any user can reach the web interface locally or remotely, the vulnerability is exploitable if poisoned files exist.
Will a WAF or network-based XSS filter completely protect us?
A WAF with XSS detection can provide temporary protection by blocking suspicious metadata in HTTP responses, but it is not a substitute for patching. WAFs may generate false positives and are often bypassed with encoded payloads. Patching the application is the definitive remediation.
How do we know if our library already contains malicious files?
Use offline metadata inspection tools to scan your media library for suspicious content in metadata tags. Look for script tags, HTML event handlers, or unusual characters. No online scanning is necessary—the file itself contains the payload, not external links.
This analysis is provided for informational purposes and represents the state of knowledge as of the publication date. Vendor patch availability, affected version scope, and remediation timelines may change. Organizations should consult official vendor advisories and security bulletins for authoritative guidance. Testing of patches should be performed in controlled environments before production deployment. SEC.co does not provide guarantee of accuracy or completeness and recommends independent verification of all technical claims against primary sources. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)