Security Advisory - Published 2026-06-12 - Lyrion Music Server

Lyrion Music Server 9.2.0: file read and XSS self-check

Lyrion Music Server 9.2.0 is listed on the project download page as a development build, while 9.1.0 is shown as the latest stable release. If 9.2.0 is reachable from the internet, treat it as an exposure problem first. The reported issues include unauthenticated file read, directory listing, and stored XSS paths in the web UI.

Defensive scope: this page covers inventory, access restriction, version rollback or update planning, log review, and cleanup. It does not include path traversal strings, XSS payloads, or instructions for testing someone else's server.

What is affected

CVEAreaAffected versionOperator note
CVE-2026-50234Path traversal file readLyrion Music Server 9.2.0 / through 9.2.0Highest priority if the web UI is public or reverse-proxied.
CVE-2026-50233Arbitrary directory listingLyrion Music Server 9.2.0 / through 9.2.0Review JSON-RPC and CLI exposure, especially port 9090.
CVE-2026-50232Stored XSS through media metadataLyrion Music Server 9.2.0 / through 9.2.0Risk rises when untrusted media files are scanned into the library.
CVE-2026-50231Stored XSS in log viewerLyrion Music Server 9.2.0 / through 9.2.0Risk rises when an admin opens logs after untrusted requests hit the server.

Fast exposure check

systemctl status lyrionmusicserver logitechmediaserver squeezeboxserver 2>/dev/null
dpkg -l | egrep 'lyrion|logitechmediaserver|squeezeboxserver'
docker ps --format 'table {{.Names}}\t{{.Image}}\t{{.Ports}}' | egrep -i 'lyrion|logitech|lms'
ss -ltnp | egrep ':9000|:9090'

Port 9000 is commonly used for the web UI. Port 9090 is commonly used by the CLI service. If either one is reachable from the public internet, close it now and review logs before reopening access.

Immediate containment

  1. Move the web UI and CLI service behind LAN, VPN, Cloudflare Access, or an IP allowlist.
  2. Remove public DNS and reverse proxy routes that point directly to Lyrion Music Server.
  3. If you installed 9.2.0 only for testing, move back to the stable 9.1.0 line or a vendor-fixed build when available.
  4. Restart the service after changing network binding or reverse proxy rules.
  5. Keep logs. Do not wipe access logs before checking whether sensitive files may have been requested.

Logs and compromise signs

  • Requests to the web UI or JSON-RPC paths from internet addresses that do not belong to you.
  • Path errors, denied file reads, strange folder names, or repeated requests around file browsing features.
  • Admin users opening the server log viewer after suspicious unauthenticated traffic.
  • New media files from untrusted sources, especially files added shortly before admin browser activity.
  • Changed preferences, plugin settings, reverse proxy credentials, or service environment variables after June 5, 2026.

File and media review

find /var/log -type f -iname '*lyrion*' -o -iname '*squeeze*' -o -iname '*logitech*' 2>/dev/null
find /var/log/nginx /var/log/apache2 /var/log/httpd -type f -mtime -14 2>/dev/null | head -80
find /srv /music /media -type f -mtime -14 2>/dev/null | head -80

Treat untrusted music files as content, not just harmless media. If other people can upload or sync files into the library, review the source of recent additions and keep admin browsers away from suspicious metadata views until the server is contained.

Safe fix path

  • Best immediate control: keep Lyrion Music Server off the public internet.
  • Version control: avoid running 9.2.0 development builds on public hosts.
  • Reverse proxy: require authentication before the request reaches Lyrion Music Server.
  • Secrets: rotate any credentials stored near the service if logs suggest file read attempts.
  • Browser sessions: clear admin sessions if the log viewer or metadata pages were opened after suspicious traffic.

When to request repair help

Use Ping7 CVE Repair if 9.2.0 was public, you found suspicious file-read or directory-listing traffic, or you cannot confirm whether the server exposed private config, media paths, or service credentials. Ping7 work stays on owned systems and client-approved environments only.

References