Lyrion Music Server 9.2.0 Arbitrary Directory Listing
CVE-2026-50233

6.9MEDIUM

Key Information:

Vendor: Lms Community
Status: Lyrion Music Server
Vendor: CVE Published:; 5 June 2026

🔔 Create Lms Community Vulnerability Alert

What is CVE-2026-50233?

Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem.

Affected Version(s)

Lyrion Music Server 9.2.0

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-59...

third-party-advisory

https://www.vulncheck.com/advisories/lyrion-music-server-...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
Jun 4, 2026

Credit

LiquidWorm as Gjoko Krstic of Zero Science Lab

CVE-2026-50233 Data

JSON