CVE-2026-44482 - Vulnerability Details

- soundcloud-rpc: Remote Code Execution via XSS in Track Title

Description

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (window.soundcloudAPI.sendTrackUpdate) to the remote SoundCloud page. Track metadata from SoundCloud is trusted and forwarded through IPC into the Electron main process. The app later renders that metadata as raw HTML inside privileged Electron views that have Node.js integration enabled. This vulnerability is fixed in 0.1.8.

Published: 2026-05-14

Score: 9.6 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in soundcloud-rpc allows attacker-controlled SoundCloud track titles containing HTML payloads to be executed locally within the Electron application. Because the app forwards untrusted track metadata through its IPC system and renders it as raw HTML in privileged Electron views that have Node.js integration enabled, an attacker can execute arbitrary commands on the user's machine. The flaw is a classic cross‑site scripting (XSS) that escalates to full local code execution and is underpinned by input validation, authority, and code injection weaknesses (CWE‑20, CWE‑79, CWE‑862, CWE‑94).

Affected Systems

The affected product is the soundcloud-rpc client developed by Richard H. Btz. Versions prior to 0.1.8 are vulnerable because they render the track title metadata directly in privileged Electron views. The 0.1.8 release and later versions incorporate the fix that sanitizes the metadata before rendering.

Risk and Exploitability

The CVSS score of 9.6 indicates a critical level of severity with potential for complete compromise of the victim’s machine. The EPSS score is currently unavailable, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The likely attack vector requires an attacker to host a malicious track on SoundCloud and entice a user to play it, at which point the untrusted metadata is rendered and executed. Although no public exploits have been documented, the high severity and the straightforward exploitation path warrant immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

richardhbtz

soundcloud-rpc

affected

Version	Status	Constraints
`< 0.1.8`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to version 0.1.8 or later to apply the vendor’s fixed release.
Until the upgrade can be performed, disable Node.js integration in privileged Electron views or block the preload API that forwards track metadata to the main process.
Sanitize or strip all HTML from track metadata before rendering it in the application’s user interface.

Generated by OpenCVE AI on May 14, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/richardhbtz/soundcloud-rpc/security/advisories/GHSA-p37x-32p8-445f

History

Thu, 14 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (window.soundcloudAPI.sendTrackUpdate) to the remote SoundCloud page. Track metadata from SoundCloud is trusted and forwarded through IPC into the Electron main process. The app later renders that metadata as raw HTML inside privileged Electron views that have Node.js integration enabled. This vulnerability is fixed in 0.1.8.
Title		soundcloud-rpc: Remote Code Execution via XSS in Track Title
Weaknesses		CWE-20 CWE-79 CWE-862 CWE-94
References		https://github.com/richardhbtz/soundcloud-rpc/security/advisories/GHSA-p37x-32p8-445f
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-14T14:51:37.557Z

Updated: 2026-05-14T17:58:22.744Z

Reserved: 2026-05-06T17:18:51.783Z

Link: CVE-2026-44482

Vulnrichment

Updated: 2026-05-14T17:58:13.294Z

NVD

Status : Deferred

Published: 2026-05-14T15:16:48.793

Modified: 2026-05-14T18:19:25.260

Link: CVE-2026-44482

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T16:30:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object