CVE-2026-50235

Vulnerability

Lyrion Music Server versions up to and including 9.2.0 contain a reflected cross-site scripting vulnerability within its advanced search parameters. The application fails to properly sanitize user-supplied input before rendering it within search forms, making it susceptible to malicious script injection [2].

Exploitation

An unauthenticated attacker with network access can exploit this vulnerability by crafting a malicious URL containing injected JavaScript within the search parameters. When a victim user clicks this URL, the script will execute in their browser within the context of the Lyrion Music Server application, requiring no special privileges or user interaction beyond clicking the link [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim user's browser. This can lead to the theft of sensitive session information, potentially enabling the attacker to impersonate the user or gain unauthorized access to their account and associated data [2].

Mitigation

Lyrion Music Server version 9.2.0 has been patched to address this vulnerability. Users are advised to upgrade to a fixed version. No specific workaround details are available in the provided references, and the end-of-life status for affected versions is not disclosed [2].