CVE-2026-50233

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem.

Vulnerability Details

Published Date

June 05, 2026

Last Modified

June 05, 2026

CWE ID

CWE-548

Source

NVD

Vendor

LMS Community

Product

Lyrion Music Server

External References

https://www.vulncheck.com/advisories/lyrion-music-server-arbitrary-directory-listing
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5991.php

CVE-2026-50233

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment