CVE-2026-50235: Lyrion Music Server 9.2.0 Reflected XSS in Advanced Search
Lyrion Music Server 9.2.0 has a reflected cross-site scripting (XSS) vulnerability in its advanced search feature. An attacker can craft a malicious link containing JavaScript code in the search parameters. When a user clicks the link or is tricked into visiting it, the malicious script executes in their browser, potentially allowing the attacker to steal session cookies, hijack accounts, or perform actions on behalf of the user. The vulnerability requires user interaction—the victim must click a malicious link—but no special privileges or complex setup are needed to exploit it.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Lyrion Music Server 9.2.0 contains a reflected cross-site scripting vulnerability in advanced search parameters that fail to properly sanitize user input before displaying it in search forms. Attackers can inject malicious scripts through unfiltered search parameters to execute arbitrary JavaScript in users' browsers and steal session information.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This reflected XSS vulnerability (CWE-79) exists in Lyrion Music Server 9.2.0's advanced search functionality. The application fails to properly sanitize or encode user-supplied search parameters before rendering them back in the HTML response. An attacker can inject arbitrary JavaScript payloads through URL-based search parameters. Because the payload is reflected directly into the response without output encoding, the JavaScript executes in the victim's browser within the security context of the Lyrion server domain. The CVSS 3.1 score of 6.1 (MEDIUM) reflects network accessibility, low attack complexity, and requirement for user interaction, with consequent impact to confidentiality and integrity but no availability impact.
Business impact
Session hijacking is the primary risk. An attacker stealing a user's session token can gain unauthorized access to that user's Lyrion Music Server account, potentially accessing, modifying, or deleting music libraries, playlists, and personal metadata. In environments where Lyrion is integrated with broader music distribution or library management workflows, compromised sessions could disrupt service availability or expose sensitive information. The attack surface is wider in shared or public-facing deployments where users may be more likely to click unfamiliar links. Reputational damage may occur if users' listening habits or library data are exposed.
Affected systems
Lyrion Music Server version 9.2.0 is confirmed affected. Organizations running this specific version should prioritize assessment. Versions prior to or after 9.2.0 are not explicitly identified in available advisories; verify against vendor documentation or release notes for confirmed scope. Deployments exposed to untrusted networks or with users who access the server via shared or public links face higher risk.
Exploitability
Exploitation is straightforward and requires no authentication, special privileges, or complex configuration. An attacker simply constructs a URL with malicious JavaScript in search parameters and distributes it via email, social media, or other channels. User interaction is required—the victim must follow the link—but social engineering is often effective, especially if the link appears to come from a trusted source or is embedded in legitimate-looking communications. No special tools beyond a web browser are needed. The attack is reliably repeatable across victims who click the same malicious link.
Remediation
Upgrade Lyrion Music Server to a patched version released after 9.2.0. Consult the official Lyrion project repository or vendor advisories for confirmed fixed versions. As an interim mitigation, restrict access to the Lyrion server to trusted networks or implement a Web Application Firewall (WAF) rule to detect and block requests containing common XSS payloads in search parameters. Additionally, educate users to verify links before clicking, especially those referencing search functionality.
Patch guidance
Contact the Lyrion project maintainers or consult their official release notes to identify the specific patched version addressing CVE-2026-50235. Once a patch is available, test it in a non-production environment before rolling out to ensure compatibility with your music library, plugins, and dependent services. Apply the patch during a maintenance window to minimize disruption. Verify that advanced search functionality operates normally post-patch and that no regression occurs in other features.
Detection guidance
Monitor web access logs for search requests containing encoded or obfuscated JavaScript patterns (e.g., script tags, event handlers like 'onerror=', 'onclick=', or data URIs) in query parameters. Implement browser-based Content Security Policy (CSP) headers on the Lyrion server to restrict inline script execution and limit script sources. Enable user-agent logging to correlate suspicious search requests with potential session theft patterns. Look for unusual account activity, such as library modifications or access from unexpected geographies or IP addresses correlated with the timing of detected XSS attempts.
Why prioritize this
Although the CVSS score is MEDIUM and the vulnerability requires user interaction, XSS vulnerabilities should not be underestimated. Session theft directly compromises user accounts and can enable lateral movement or data exfiltration in integrated environments. The low complexity of exploitation and the high likelihood of successful social engineering in real-world scenarios mean that even moderate CVSS scores warrant timely patching. Prioritize if the Lyrion server handles sensitive music metadata, is accessible externally, or if users are frequent targets of phishing campaigns.
Risk score, explained
The CVSS 3.1 score of 6.1 reflects a MEDIUM severity rating. The score accounts for network attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), and requirement for user interaction (UI:R). The scope is changed (S:C), meaning the attacker can impact resources beyond the vulnerable component (user session and browser). Confidentiality and integrity are both impacted (C:L, I:L), as session tokens can be stolen and actions forged. Availability is not impacted (A:N). The relatively moderate score reflects the practical barrier of requiring user interaction, but does not diminish the real-world risk posed by session compromise in production environments.
Frequently asked questions
How would an attacker send this exploit to a victim?
An attacker would craft a URL containing JavaScript in the search parameters, then distribute it via email, instant messaging, social media, or embed it in a compromised website. The link might appear innocuous (e.g., 'Check out my Lyrion playlist') to encourage clicking. If the victim is already logged into the Lyrion server in their browser, the malicious script executes with their session context, allowing the attacker to steal their session token or perform actions on their behalf.
Can this vulnerability be exploited without clicking a link?
No. This is a reflected XSS vulnerability, meaning the payload must be submitted by the victim for the malicious script to execute. The attacker cannot exploit this purely server-side or without user interaction. However, in practice this is not a strong barrier—phishing and social engineering are highly effective at convincing users to click links, especially if the attacker uses a trusted sender address or embeds the link in legitimate-looking messages.
Does this affect stored data or just the user's session?
This vulnerability primarily affects the user's browser session and session token. The malicious script runs client-side in the victim's browser, not on the server. However, once a session is compromised, an attacker could use that stolen session to access, view, or modify stored music libraries, playlists, and metadata on the server. The stored data itself is not directly corrupted by the XSS, but unauthorized access and modification are possible post-exploitation.
Is this vulnerability actively exploited in the wild?
CVE-2026-50235 is not on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation at the time of advisory publication. However, reflected XSS vulnerabilities are commonly targeted by opportunistic attackers and script kiddies, so exposure to attack should be assumed once public disclosure occurs. Proactive patching is strongly recommended regardless of KEV status.
This analysis is provided for informational purposes and is based on the vulnerability advisory and public information available as of the publication date. Patch versions, vendor timelines, and affected product scope should be verified directly against official Lyrion project releases and vendor advisories before taking action. No exploit code or proof-of-concept is provided. Organizations should conduct their own risk assessment based on their specific Lyrion deployment architecture, network exposure, and user base. SEC.co does not guarantee the accuracy or completeness of this information and recommends consultation with the Lyrion maintainers and your internal security team before implementing any changes to production systems. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1