Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (window.soundcloudAPI.sendTrackUpdate) to the remote SoundCloud page. Track metadata from SoundCloud is trusted and forwarded through IPC into the Electron main process. The app later renders that metadata as raw HTML inside privileged Electron views that have Node.js integration enabled. This vulnerability is fixed in 0.1.8.
AnalysisAI
Remote code execution in soundcloud-rpc Electron app prior to 0.1.8 allows attackers to execute arbitrary commands on victim machines through maliciously crafted SoundCloud track metadata. When a user plays a SoundCloud track with HTML payload in its title, the application renders the metadata as raw HTML in privileged Electron views with Node.js integration enabled, leading to local command execution. User interaction is required (victim must play the malicious track), but no authentication is needed to upload crafted metadata to SoundCloud. Publicly disclosed via GitHub Security Advisory. EPSS data not available; no CISA KEV listing identified.
Technical ContextAI
soundcloud-rpc is an Electron-based desktop application for SoundCloud playback with Discord integration. The vulnerability stems from improper input validation (CWE-20) in the Electron framework's preload API implementation. The application exposes window.soundcloudAPI.sendTrackUpdate to the remote SoundCloud web page, which forwards track metadata through IPC (Inter-Process Communication) to the Electron main process. The critical flaw is that this metadata is subsequently rendered as raw HTML in Electron BrowserWindow views that have nodeIntegration enabled. Electron's security model requires strict separation between remote content and privileged contexts; enabling nodeIntegration in windows that render untrusted content creates a direct path from web content to operating system command execution. This represents a classic Electron context isolation failure where the boundary between web content and native capabilities was improperly maintained.
RemediationAI
Upgrade to soundcloud-rpc version 0.1.8 or later, which addresses the improper input validation and HTML rendering vulnerability. The fix likely implements context isolation, disables nodeIntegration in windows rendering remote content, or sanitizes track metadata before rendering. Users can obtain the patched release from the project's GitHub releases page at https://github.com/richardhbtz/soundcloud-rpc. If immediate upgrade is not feasible, cease using the application until patched, as no effective workaround exists - the vulnerability is inherent to the application's architecture of rendering untrusted SoundCloud metadata in privileged Electron contexts. Disabling the application would eliminate risk but also remove functionality. Network-level mitigations (firewalls, proxies) are ineffective because the malicious payload arrives through legitimate SoundCloud API traffic. The only compensating control is user awareness: avoid playing tracks from untrusted sources, though determining track trustworthiness is impractical for end users.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30300