CVE-2026-50230 Overview
CVE-2026-50230 is a reflected cross-site scripting (XSS) vulnerability in Lyrion Music Server version 9.2.0. The flaw exists in the server.log endpoint, which fails to sanitize input passed through the search parameter. Attackers can craft malicious URLs containing JavaScript payloads that execute in a victim's browser within the context of the affected application. The vulnerability requires no authentication, but it does require user interaction. The issue is tracked under CWE-79 and was published to the National Vulnerability Database (NVD) on June 5, 2026.
Critical Impact
Attackers can execute arbitrary HTML and JavaScript in the browsers of authenticated users, enabling session theft, credential harvesting, and unauthorized actions within Lyrion Music Server.
Affected Products
- Lyrion Music Server 9.2.0
- Prior versions may also be affected (not confirmed in advisory data)
- Deployments exposing the server.log endpoint to untrusted networks
Discovery Timeline
- 2026-06-05 - CVE-2026-50230 published to NVD
- 2026-06-05 - Last updated in NVD database
Technical Details for CVE-2026-50230
Vulnerability Analysis
The vulnerability is a reflected XSS flaw in the Lyrion Music Server server.log endpoint. The application returns the value of the search query parameter directly in the rendered HTML response. Because the input is neither encoded nor validated, an attacker can insert arbitrary script content that the browser parses and executes.
Reflected XSS requires the victim to click a crafted link or visit an attacker-controlled page that issues the malicious request. Once executed, the injected script runs with the privileges of the visiting user inside the Lyrion application context. This can expose session cookies, allow forced actions against the music server, and pivot to other browser-accessible resources.
The vulnerability is categorized as CWE-79: Improper Neutralization of Input During Web Page Generation. EPSS data places exploitation probability at 0.039% as of June 11, 2026, indicating low observed activity, but the lack of authentication lowers the barrier to weaponization.
Root Cause
The server reflects user-controlled data from the search parameter into the HTTP response without applying contextual output encoding. No allowlist or sanitization logic constrains the characters or HTML structures that the parameter may contain.
Attack Vector
An attacker delivers a crafted URL targeting the server.log endpoint with a JavaScript payload in the search parameter. Common delivery channels include phishing emails, malicious advertisements, and forum posts. When a user with access to the Lyrion Music Server interface follows the link, the payload executes in their browser session. Refer to the VulnCheck Security Advisory and the Zero Science Vulnerability Report ZSL-2026-5988 for proof-of-concept details.
// No verified exploit code is published in the referenced advisories.
// See VulnCheck and Zero Science advisories for technical reproduction steps.
Detection Methods for CVE-2026-50230
Indicators of Compromise
- HTTP requests to the server.log endpoint containing <script>, javascript:, or HTML event handler strings in the search parameter
- URL-encoded payloads such as %3Cscript%3E or %3Cimg%20src%3Dx%20onerror%3D within request logs
- Outbound browser connections to unfamiliar domains immediately after a user accesses a Lyrion Music Server URL
Detection Strategies
- Inspect web server and reverse proxy access logs for requests to server.log with suspicious characters in the search parameter
- Deploy web application firewall (WAF) rules that flag reflected XSS signatures targeting Lyrion endpoints
- Correlate referrer headers with externally sourced links to identify phishing-driven exploitation attempts
Monitoring Recommendations
- Forward Lyrion Music Server HTTP logs to a centralized SIEM for retention and query
- Alert on repeated requests to server.log from a single source within short time windows
- Monitor endpoint browsers for anomalous JavaScript execution patterns originating from the Lyrion application origin
How to Mitigate CVE-2026-50230
Immediate Actions Required
- Restrict network access to Lyrion Music Server so the management interface is not exposed to untrusted networks
- Educate users to avoid clicking unsolicited links that reference the Lyrion server.log endpoint
- Deploy WAF rules that block or sanitize HTML and JavaScript metacharacters in the search parameter
Patch Information
No vendor patch is referenced in the available advisory data at the time of NVD publication. Monitor the VulnCheck Security Advisory and the Zero Science Vulnerability Report ZSL-2026-5988 for vendor updates and remediation guidance.
Workarounds
- Place Lyrion Music Server behind an authenticated reverse proxy that restricts access to known users
- Enforce a strict Content Security Policy (CSP) that disables inline scripts and restricts script sources
- Configure browsers and endpoint controls to block navigation to externally sourced Lyrion URLs containing script payloads
# Example NGINX rule to block obvious XSS payloads in the search parameter
location /server.log {
if ($args ~* "(<script|javascript:|onerror=|onload=)") {
return 403;
}
proxy_pass http://lyrion_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
