CVE-2026-50232 MEDIUM

CVE-2026-50232: Lyrion Music Server 9.2.0 Stored XSS via Metadata Tags

Vendor Lms Community
Product Lyrion Music Server
Weakness CWE-79 · XSS
Published June 5, 2026
Last update June 8, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Lyrion Music Server 9.2.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through media file metadata tags like GENRE, ARTIST, and ALBUM. Attackers can craft files with XSS payloads in metadata tags that execute in the web interface when users view track information or play files, enabling access to management functions and settings disclosure.

Key dates

02Disclosure timeline

June 5, 2026 CVE published
June 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-48276 WordPress Visual Composer Website Builder plugin <= 45.11.0 - Cross Site Scripting (XSS) Vulnerability CVE-2026-42573 Svelte: XSS via DOM Clobbering of Internal Framework State CVE-2024-45278 Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice CVE-2025-26659 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) CVE-2021-32702 Reflected XSS from the callback handler's error query parameter