← Advisories

Lyrion Music Server 9.2.0 Path Traversal File Read

High

Advisory ID

ZSL-2026-5992

Release Date

05 June 2026

Vendor

LMS Community - https://www.lyrion.org

Affected Version

9.2.0

CVE

CVE-2026-50234

Tested On

Windows 10 (64-bit) - EN, Lyrion Music Server (9.2.0 - 1779973211), Perl/5.32.1, SQLite

Summary

Lyrion Music Server (formerly Logitech Media Server, and often abbreviated as "LMS" ) is open-source software which can control and serve (stream) music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server can stream your local music collection, internet radio stations, and content from many streaming services (with and without subscriptions).

Description

The server suffers from a directory traversal vulnerability. Exploiting this issue will allow an unauthenticated attacker to view arbitrary files within the context of the web server.

Proof of Concept

lyrion_dir.txtTXT

Disclosure Timeline

27.05.2026Vulnerability discovered.

28.05.2026Contact with the vendor.

28.05.2026Vendor responds asking more details.

31.05.2026Sent details to the vendor.

31.05.2026Vendor is working on fixes and hardening security defaults.

02.06.2026Replied to the vendor.

05.06.2026Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.cve.org/CVERecord?id=CVE-2026-50234

Changelog

05.06.2026Initial release