Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.6
CVE-2026-44482: SoundCloud Client allows malicious track titles to run code locally
CVE-2026-44482
Summary
A security issue was found in the SoundCloud Client software. If a user plays a SoundCloud track with a malicious title, it could potentially run code on the user's computer. This has been fixed in version 0.1.8, so make sure to update to this version to stay secure.
Original title
soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron a...
Original description
soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (window.soundcloudAPI.sendTrackUpdate) to the remote SoundCloud page. Track metadata from SoundCloud is trusted and forwarded through IPC into the Electron main process. The app later renders that metadata as raw HTML inside privileged Electron views that have Node.js integration enabled. This vulnerability is fixed in 0.1.8.
nvd CVSS3.1
9.6
Vulnerability type
CWE-20
Improper Input Validation
CWE-79
Cross-site Scripting (XSS)
CWE-94
Code Injection
CWE-862
Missing Authorization
Published: 14 May 2026 · Updated: 28 May 2026 · First seen: 14 May 2026