CVE-2026-50233

Published: Giu 05, 2026 Last Modified: Giu 05, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,9
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM 5,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: none
Availability: none

Description

AI Translation Available

Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem.

548

Exposure of Information Through Directory Listing

Draft
Abstraction: Variant Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality
Potential Impacts:
Read Files Or Directories
Applicable Platforms
All platforms may be affected
View CWE Details
https://www.vulncheck.com/advisories/lyrion-music-server-ar…
https://www.vulncheck.com/advisories/lyrion-music-server-arbitrary-directory-li…
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5991…
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5991.php