← back
CVE-2026-50230

Lyrion Music Server 9.2.0 Reflected XSS via server.log

CVSS 5.1 MEDIUMEPSS 0.3%CWE-79
Vexday Risk Score
28Low
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 5.1EPSS 0.3%KEV nãoPoC Nuclei simMetasploit Patch
Lifecycle
05 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search parameter to execute code in users' browsers within the context of the affected application.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
LMS Community · Lyrion Music Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.vulncheck.com/advisories/lyrion-music-server-reflected-xss-via-server-loghttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5988.php