CVE-2026-50231 Overview
CVE-2026-50231 is a stored cross-site scripting (XSS) vulnerability in Lyrion Music Server 9.2.0. The flaw resides in the log viewer component, where unescaped template variables allow attackers to inject malicious scripts into server logs. Attackers can deliver payloads through the search, lines, and path query parameters, or by submitting values that the server writes to its logs such as URLs, User-Agent headers, stream titles, or player names. When an authenticated user views the log viewer, the injected script executes in the browser session. The vulnerability is tracked under [CWE-79] and does not require authentication for payload injection.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript that executes in the browsers of administrators viewing server logs, enabling session theft and unauthorized actions.
Affected Products
- Lyrion Music Server 9.2.0
- Log viewer component processing search, lines, and path query parameters
- Logging subsystem that records URLs, User-Agent headers, stream titles, and player names
Discovery Timeline
- 2026-06-05 - CVE-2026-50231 published to NVD
- 2026-06-05 - Last updated in NVD database
Technical Details for CVE-2026-50231
Vulnerability Analysis
The vulnerability stems from improper output encoding in the Lyrion Music Server log viewer. Template variables rendered to the log viewer page are not HTML-escaped before being sent to the browser. Any attacker-controlled value that reaches the log file becomes executable script content when the log viewer displays it.
Two injection paths exist. The first path uses direct query parameters such as search, lines, and path, which are reflected into the log viewer template. The second path is stored: the server records HTTP request data, streaming metadata, and player identifiers into log files. An attacker who controls any of those values plants a payload that fires later when an administrator opens the log viewer.
Exploitation requires user interaction from a privileged log viewer, but injection itself requires no authentication. Successful exploitation runs arbitrary JavaScript in the context of the Lyrion Music Server web interface.
Root Cause
The root cause is missing output sanitization on template variables in the log viewer. The server treats logged content as trusted text and emits it into HTML without escaping characters such as <, >, and ". This matches the classic pattern described by [CWE-79]: Improper Neutralization of Input During Web Page Generation.
Attack Vector
An attacker can trigger the vulnerability over the network without credentials. Crafted HTTP requests with malicious User-Agent headers, manipulated stream titles, or attacker-chosen player names cause script payloads to be written to log files. When an administrator opens the log viewer or follows a crafted URL containing payloads in the search, lines, or path parameters, the script executes in their browser. Technical details are documented in the VulnCheck Security Advisory and the Zero Science Vulnerability Report.
Detection Methods for CVE-2026-50231
Indicators of Compromise
- Log entries containing HTML tags such as <script>, <img>, or <svg onload=> in User-Agent, stream title, or player name fields
- HTTP requests to the log viewer endpoint with suspicious values in search, lines, or path parameters
- Unexpected outbound requests from administrator browsers shortly after viewing server logs
Detection Strategies
- Inspect Lyrion Music Server access logs and application logs for HTML or JavaScript characters in fields that should contain only plaintext metadata
- Alert on web requests where query parameters contain encoded <, >, or event handler keywords such as onerror and onload
- Correlate log viewer access events with anomalous session activity for the viewing administrator account
Monitoring Recommendations
- Forward Lyrion Music Server logs to a centralized log platform and apply pattern matching for XSS payload signatures
- Monitor browser process telemetry on administrator workstations for unexpected script execution following log viewer access
- Track changes to administrator session tokens or configuration after log viewer interactions
How to Mitigate CVE-2026-50231
Immediate Actions Required
- Restrict access to the Lyrion Music Server administrative interface to trusted networks only
- Avoid using the built-in log viewer until a vendor patch is applied; review logs directly from the file system instead
- Rotate administrator credentials and session tokens if the log viewer has been used since exposure
Patch Information
At the time of publication, no fixed version is referenced in the NVD entry for CVE-2026-50231. Monitor the VulnCheck Security Advisory and the Zero Science Vulnerability Report for vendor remediation guidance and updated releases.
Workarounds
- Place Lyrion Music Server behind a reverse proxy or web application firewall that strips or encodes HTML metacharacters in request headers and query parameters
- Disable or block external access to the log viewer endpoint at the network layer
- Sanitize streaming source metadata and player names before they reach the server when feasible
# Example reverse proxy filter to block obvious XSS payloads in log viewer parameters
location /settings/server/log {
if ($args ~* "(<script|onerror=|onload=|javascript:)") {
return 403;
}
proxy_pass http://lyrion_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
