← Advisories

Lyrion Music Server 9.2.0 (server.log) Unauthenticated Reflected XSS

Critical

Advisory ID

ZSL-2026-5988

Release Date

05 June 2026

Vendor

LMS Community - https://www.lyrion.org

Affected Version

9.2.0

CVE

CVE-2026-50230

Tested On

Windows 10 (64-bit) - EN, Lyrion Music Server (9.2.0 - 1779973211), Perl/5.32.1, SQLite

Summary

Lyrion Music Server (formerly Logitech Media Server, and often abbreviated as "LMS" ) is open-source software which can control and serve (stream) music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server can stream your local music collection, internet radio stations, and content from many streaming services (with and without subscriptions).

Description

Lyrion Music Server suffers from an unauthenticated reflected cross-site scripting vulnerability through 'server.log' endpoint abusing the 'search' GET parameter. Input is not properly sanitized before being returned to the user, allowing the execution of arbitrary HTML/JS code in a user's browser session in the context of the affected site.

Proof of Concept

lyrion_xss.txtTXT

Disclosure Timeline

27.05.2026Vulnerability discovered.

28.05.2026Contact with the vendor.

28.05.2026Vendor responds asking more details.

31.05.2026Sent details to the vendor.

31.05.2026Vendor is working on fixes and hardening security defaults.

02.06.2026Replied to the vendor.

05.06.2026Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.cve.org/CVERecord?id=CVE-2026-50230

Changelog

05.06.2026Initial release