CVE-2026-50233 MEDIUM

CVE-2026-50233: Lyrion Music Server 9.2.0 Arbitrary Directory Listing

Vendor Lms Community
Product Lyrion Music Server
Weakness CWE-548 · Directory listing
Published June 5, 2026
Last update June 9, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem.

Key dates

02Disclosure timeline

June 5, 2026 CVE published
June 9, 2026 Record updated