CVE-2026-50233
MEDIUM
CVSS 6.9
No EPSS data
Description
Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-50233",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Primary",
"source": "disclosure@vulncheck.com",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 5.3,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"integrityImpact": "NONE",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "NONE",
"confidentialityImpact": "LOW"
},
"impactScore": 1.4,
"exploitabilityScore": 3.9
}
],
"cvssMetricV40": [
{
"type": "Secondary",
"source": "disclosure@vulncheck.com",
"cvssData": {
"Safety": "NOT_DEFINED",
"version": "4.0",
"Recovery": "NOT_DEFINED",
"baseScore": 6.9,
"Automatable": "NOT_DEFINED",
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"exploitMaturity": "NOT_DEFINED",
"providerUrgency": "NOT_DEFINED",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "NONE",
"subIntegrityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"vulnAvailabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"subConfidentialityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED"
}
}
]
},
"published": "2026-06-05T14:16:36.550",
"references": [
{
"url": "https://www.vulncheck.com/advisories/lyrion-music-server-arbitrary-directory-listing",
"source": "disclosure@vulncheck.com"
},
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5991.php",
"source": "disclosure@vulncheck.com"
}
],
"vulnStatus": "Deferred",
"weaknesses": [
{
"type": "Primary",
"source": "disclosure@vulncheck.com",
"description": [
{
"lang": "en",
"value": "CWE-548"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem."
}
],
"lastModified": "2026-06-05T14:59:31.207",
"sourceIdentifier": "disclosure@vulncheck.com"
}
}