Lyrion Music Server <= 9.2.0 - Cross-Site Scripting

Lyrion Music Server 9.2.0 contains a reflected XSS caused by improper sanitization of the search parameter in the server.log endpoint, letting unauthenticated attackers execute arbitrary script in users' browsers. id: CVE-2026-50230 info: name: Lyrion Music Server = 9.2.0 - Cross-Site Scripting...

EUVD-2026-36636

The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter s in versions up to, and including, 6.0.4 The plugin hooks WordPress's postsrequest filter with wpticketcompostsrequest, which calls emdauthorsearchresults when the current request is an...

CVE-2026-9848

The WP Ticket WordPress plugin (versions up to 6.0.4) is vulnerable to SQL Injection via the WordPress search parameter s. The vulnerability arises when unauthenticated front-end search triggers wp_ticket_com_posts_request(), which calls emd_author_search_results() and concatenates the raw s valu...

CVE-2026-9848 WP Ticket <= 6.0.4 - Unauthenticated SQL Injection via WordPress Search 's' Parameter

The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter s in versions up to, and including, 6.0.4 The plugin hooks WordPress's postsrequest filter with wpticketcompostsrequest, which calls emdauthorsearchresults when the current request is an...

PT-2026-49077

Name of the Vulnerable Software and Affected Versions WP Ticket versions prior to 6.0.5 Description The WP Ticket plugin for WordPress allows unauthenticated attackers to extract sensitive information from the database. The issue occurs during unauthenticated front-end searches when the plugin...

CVE-2026-50230

Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search...

CVE-2026-6225

The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'projectsearch' parameter in all versions up to, and including, 5.0.6 due to insufficient escaping on the user supplied parameter and lack of...

CVE-2026-40384

An improper validation of the search parameter of the commedia files API endpoint leads to a path traversal vulnerability...

CVE-2026-50230

Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search...

CVE-2026-50230 Lyrion Music Server 9.2.0 Reflected XSS via server.log

Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search...

EUVD-2026-34829

Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search...

CVE-2026-50230

Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search...

CVE-2026-50230

Lyrion Music Server 9.2.0 is affected by an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint . The issue allows attackers to inject arbitrary HTML and JavaScript through the search parameter , enabling code execution in users’ browsers within the context of ...

CVE-2026-50230 Lyrion Music Server 9.2.0 Reflected XSS via server.log

Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search...

📄 Lyrion Music Server 9.2.0 server.log Reflected Cross Site Scripting

Lyrion Music Server version 9.2.0 suffers from an unauthenticated reflected cross site scripting vulnerability through server.log endpoint abusing the search GET parameter. Input is not properly sanitized before being returned to the user, allowing the execution of arbitrary HTML/JS code in a use...

PT-2026-46949

Name of the Vulnerable Software and Affected Versions Lyrion Music Server version 9.2.0 Description An unauthenticated reflected cross-site scripting issue exists in the 'server.log' endpoint. This allows attackers to inject arbitrary HTML and JavaScript code via the search parameter. By crafting...

Lyrion Music Server 9.2.0 (server.log) Unauthenticated Reflected XSS

Summary Lyrion Music Server formerly Logitech Media Server, and often abbreviated as "LMS" is open-source software which can control and serve stream music to a wide range of physical and virtual audio players called Squeezeboxes. Lyrion Music Server can stream your local music collection, intern...

GHSA-HGJH-6WJ8-GCGF WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination

Unauthenticated Reflected XSS via $GET'search' in AVideo YouTubeAPI Gallery Pagination Summary A reflected Cross-Site Scripting vulnerability CWE-79 in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim...

WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination

Unauthenticated Reflected XSS via $GET'search' in AVideo YouTubeAPI Gallery Pagination Summary A reflected Cross-Site Scripting vulnerability CWE-79 in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim...

CVE-2019-25732

PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Attackers can send GET requests to the search endpoint with crafted SQL payloads in the query parameter to...