← Advisories

Lyrion Music Server 9.2.0 (server.log) Unauthenticated Stored XSS

Critical

Advisory ID

ZSL-2026-5989

Release Date

05 June 2026

Vendor

LMS Community - https://www.lyrion.org

Affected Version

9.2.0

CVE

CVE-2026-50231

Tested On

Windows 10 (64-bit) - EN, Lyrion Music Server (9.2.0 - 1779973211), Perl/5.32.1, SQLite

Summary

Lyrion Music Server (formerly Logitech Media Server, and often abbreviated as "LMS" ) is open-source software which can control and serve (stream) music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server can stream your local music collection, internet radio stations, and content from many streaming services (with and without subscriptions).

Description

The log viewer reflects request parameters and raw log content into HTML with no escaping. Template Toolkit has no global auto-escaping so any [% var %] without an explicit | html filter is an injection point. The search, lines and path query parameters are reflected directly, and log lines are emitted as raw HTML. Any attacker-provided value that gets logged (a crafted URL, User-Agent, stream title, player name) becomes stored XSS.

============================================================================
/HTML/EN/log.html
-------------------
85:  <input type="text" name="search" id="search" value="[% search %]" ...>
98:  <span><a href="/[% path %]?zip=1">[% "DOWNLOAD" | string %]</a></span>
100: <input type="hidden" name="lines" id="lines" value="[% lines %]"></input>
103: <pre>[% logLines %]</pre>


/Slim/Web/Pages/Common.pm  (logFile)
------------------------------------
508:  my $search = $params->{search};
...   $line = "<span style=\"color:red\">$line</span>" if ...;
549:  return Slim::Web::HTTP::filltemplatefile("log.html", $params);
============================================================================

Proof of Concept

lyrion_storedxss.txtTXT

Disclosure Timeline

27.05.2026Vulnerability discovered.

28.05.2026Contact with the vendor.

28.05.2026Vendor responds asking more details.

31.05.2026Sent details to the vendor.

31.05.2026Vendor is working on fixes and hardening security defaults.

02.06.2026Replied to the vendor.

05.06.2026Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.cve.org/CVERecord?id=CVE-2026-50231

Changelog

05.06.2026Initial release