Strix
26.1K

CVE-2026-44482

CRITICALCVSS 9.6/10EPSS 0.34%

Last modified

CVE-2026-44482 is a critical-severity vulnerability rated 9.6/10 on the CVSS scale. soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. EPSS estimates a 0.34% chance of exploitation in the next 30 days.

Description

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (window.soundcloudAPI.sendTrackUpdate) to the remote SoundCloud page. Track metadata from SoundCloud is trusted and forwarded through IPC into the Electron main process. The app later renders that metadata as raw HTML inside privileged Electron views that have Node.js integration enabled. This vulnerability is fixed in 0.1.8.

Metrics

CVSS 3.1
9.6/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Probability
0.34%

25.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

References

Timeline

Published
Last Modified
Status
Deferred

Frequently Asked Questions

What is CVE-2026-44482?
soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (window.soundcloudAPI.sendTrackUpdate) to the remote SoundCloud page. Track metadata from SoundCloud is trusted and forwarded through IPC into the Electron main process. The app later renders that metadata as raw HTML inside privileged Electron views that have Node.js integration enabled. This vulnerability is fixed in 0.1.8.
How severe is CVE-2026-44482?
CVE-2026-44482 has a CVSS score of 9.6/10 (CRITICAL severity). The EPSS model estimates a 0.34% probability of exploitation in the next 30 days.
How do I fix CVE-2026-44482?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-44482?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST