CVE-2026-44482CRITICAL 9.6EPSS p25.3%

CVE-2026-44482CVE-2026-44482

Description

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (window.soundcloudAPI.sendTrackUpdate) to the remote SoundCloud page. Track metadata from SoundCloud is trusted and forwarded through IPC into the Electron main process. The app later renders that metadata as raw HTML inside privileged Electron views that have Node.js integration enabled. This vulnerability is fixed in 0.1.8.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS0.34% probability of exploitation · percentile 25.3% · 2026-06-19T12:03:05Z
Published2026-05-14
Last modified2026-05-14

Underlying weaknesses· 4

CWE-20CWE-79CWE-94CWE-862

References

  1. https://github.com/richardhbtz/soundcloud-rpc/security/advisories/GHSA-p37x-32p8-445f
  2. https://github.com/richardhbtz/soundcloud-rpc/security/advisories/GHSA-p37x-32p8-445f

4

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live
WeaknessMissing Authorizationcwe-8620%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-4443
CVE
CVE-2026-48559
CVE
CVE-2026-47899
CVE
CVE-2026-3540
CVE
CVE-2026-34769
CVE
CVE-2026-8524
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.