CVE-2025-65229

MEDIUM

Lyrion Music Server < 9.0.3 - XSS

Title source: rule

Description

A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page.

References (2)

Core 2

Core References

Various Sources

https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-65229

View Writeup ZIP pw:eip

Product

https://lyrion.org/

Scores

CVSS v3 4.6

EPSS 0.0005

EPSS Percentile 16.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

lyrion/lyrion_music_server < 9.0.3

Published Dec 08, 2025

Tracked Since Feb 18, 2026