← Advisories

Lyrion Music Server 9.2.0 (search.*) Multiple Script Insertions

High

Advisory ID

ZSL-2026-5993

Release Date

05 June 2026

Vendor

LMS Community - https://www.lyrion.org

Affected Version

9.2.0

CVE

CVE-2026-50235

Tested On

Windows 10 (64-bit) - EN, Lyrion Music Server (9.2.0 - 1779973211), Perl/5.32.1, SQLite

Summary

Lyrion Music Server (formerly Logitech Media Server, and often abbreviated as "LMS" ) is open-source software which can control and serve (stream) music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server can stream your local music collection, internet radio stations, and content from many streaming services (with and without subscriptions).

Description

Advanced-search parameters (search.*) are stuffed back into the page so the form keeps its values. Most fields apply | html, but several free-text fields do not, resulting in reflected XSS.

Proof of Concept

lyrion_xss3.txtTXT

Disclosure Timeline

27.05.2026Vulnerability discovered.

28.05.2026Contact with the vendor.

28.05.2026Vendor responds asking more details.

31.05.2026Sent details to the vendor.

31.05.2026Vendor is working on fixes and hardening security defaults.

02.06.2026Replied to the vendor.

05.06.2026Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.cve.org/CVERecord?id=CVE-2026-50235

Changelog

05.06.2026Initial release