What is the CVSS score of CVE-2026-44482?

CVE-2026-44482 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of soundcloud-rpc are affected by CVE-2026-44482?

soundcloud-rpc Electron application versions prior to 0.1.8 contain a critical remote code execution vulnerability that allows attackers to execute arbitrary commands on user systems through…. A patch is available.

soundcloud-rpc CVE-2026-44482

EUVD-2026-30300 CRITICAL

Improper Input Validation (CWE-20)

2026-05-14 security-advisories@github.com

Information Disclosure Node.js

9.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 14, 2026 - 16:01 EUVD

Analysis Generated

May 14, 2026 - 15:33 vuln.today

CVE Published

May 14, 2026 - 15:16 nvd

CRITICAL 9.6

DescriptionNVD

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (window.soundcloudAPI.sendTrackUpdate) to the remote SoundCloud page. Track metadata from SoundCloud is trusted and forwarded through IPC into the Electron main process. The app later renders that metadata as raw HTML inside privileged Electron views that have Node.js integration enabled. This vulnerability is fixed in 0.1.8.

AnalysisAI

Remote code execution in soundcloud-rpc Electron app prior to 0.1.8 allows attackers to execute arbitrary commands on victim machines through maliciously crafted SoundCloud track metadata. When a user plays a SoundCloud track with HTML payload in its title, the application renders the metadata as raw HTML in privileged Electron views with Node.js integration enabled, leading to local command execution. …

RemediationAI

Within 24 hours: Identify all systems running soundcloud-rpc and restrict access to the application. Within 7 days: Communicate to affected users that the application must not be used until an update is available; disable or uninstall soundcloud-rpc from managed endpoints if operationally feasible. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44482 vulnerability details – vuln.today

Back

soundcloud-rpc CVE-2026-44482

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code