PatchSiren cyber security CVE debrief
CVE-2026-50233 LMS Community CVE debrief
CVE-2026-50233 is a MEDIUM severity vulnerability in Lyrion Music Server 9.2.0. The vulnerability is caused by an arbitrary directory listing in the readdirectory query, which is exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration. This allows a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem.
- Vendor
- LMS Community
- Product
- Lyrion Music Server
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Users of Lyrion Music Server 9.2.0 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.9 and is classified as CWE-548. It was published on 2026-06-05T14:16:36.550Z and last modified on 2026-06-05T14:59:31.207Z.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates to Lyrion Music Server 9.2.0 as soon as they are available.
- Restrict access to the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js) to only trusted users.
- Implement authentication and authorization for the readdirectory query.
Evidence notes
The vulnerability was reported by Vulncheck and Zero Science Lab.
Official resources
CVE-2026-50233 was disclosed by Vulncheck and Zero Science Lab on 2026-06-05.