CVE-2026-50235 | THREATINT

Description

Lyrion Music Server 9.2.0 contains a reflected cross-site scripting vulnerability in advanced search parameters that fail to properly sanitize user input before displaying it in search forms. Attackers can inject malicious scripts through unfiltered search parameters to execute arbitrary JavaScript in users' browsers and steal session information.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-05 | Updated 2026-06-05 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

9.2.0

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5993.php (Zero Science Lab Disclosure) third-party-advisory

www.vulncheck.com/...ver-reflected-xss-via-search-parameters (VulnCheck Advisory: Lyrion Music Server 9.2.0 Reflected XSS via search Parameters) third-party-advisory

cve.org (CVE-2026-50235)

nvd.nist.gov (CVE-2026-50235)

Download JSON