CVE-2026-50233 is a MEDIUM severity vulnerability in Lyrion Music Server 9.2.0. The vulnerability is caused by an arbitrary directory listing in the readdirectory query, which is exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authent [truncated]
CVE-2026-50232 is a stored cross-site scripting (XSS) vulnerability in Lyrion Music Server 9.2.0. The vulnerability allows attackers to inject malicious scripts through media file metadata tags such as GENRE, ARTIST, and ALBUM. These scripts execute in the web interface when users view track information or play files, potentially enabling access to management functions and settings disclosure. The CVSS sc [truncated]
CVE-2026-50230 is a MEDIUM severity vulnerability in Lyrion Music Server 9.2.0. The vulnerability is an unauthenticated reflected cross-site scripting (XSS) issue in the server.log endpoint. Attackers can inject arbitrary HTML and JavaScript code through the search parameter, allowing them to execute code in users' browsers within the context of the affected application.
