Skip to main content

soundcloud-rpc EUVDEUVD-2026-30300

| CVE-2026-44482 CRITICAL
Improper Input Validation (CWE-20)
2026-05-14 security-advisories@github.com
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 14, 2026 - 16:01 EUVD
Analysis Generated
May 14, 2026 - 15:33 vuln.today
CVE Published
May 14, 2026 - 15:16 nvd
CRITICAL 9.6

DescriptionGitHub Advisory

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (window.soundcloudAPI.sendTrackUpdate) to the remote SoundCloud page. Track metadata from SoundCloud is trusted and forwarded through IPC into the Electron main process. The app later renders that metadata as raw HTML inside privileged Electron views that have Node.js integration enabled. This vulnerability is fixed in 0.1.8.

AnalysisAI

Remote code execution in soundcloud-rpc Electron app prior to 0.1.8 allows attackers to execute arbitrary commands on victim machines through maliciously crafted SoundCloud track metadata. When a user plays a SoundCloud track with HTML payload in its title, the application renders the metadata as raw HTML in privileged Electron views with Node.js integration enabled, leading to local command execution. User interaction is required (victim must play the malicious track), but no authentication is needed to upload crafted metadata to SoundCloud. Publicly disclosed via GitHub Security Advisory. EPSS data not available; no CISA KEV listing identified.

Technical ContextAI

soundcloud-rpc is an Electron-based desktop application for SoundCloud playback with Discord integration. The vulnerability stems from improper input validation (CWE-20) in the Electron framework's preload API implementation. The application exposes window.soundcloudAPI.sendTrackUpdate to the remote SoundCloud web page, which forwards track metadata through IPC (Inter-Process Communication) to the Electron main process. The critical flaw is that this metadata is subsequently rendered as raw HTML in Electron BrowserWindow views that have nodeIntegration enabled. Electron's security model requires strict separation between remote content and privileged contexts; enabling nodeIntegration in windows that render untrusted content creates a direct path from web content to operating system command execution. This represents a classic Electron context isolation failure where the boundary between web content and native capabilities was improperly maintained.

RemediationAI

Upgrade to soundcloud-rpc version 0.1.8 or later, which addresses the improper input validation and HTML rendering vulnerability. The fix likely implements context isolation, disables nodeIntegration in windows rendering remote content, or sanitizes track metadata before rendering. Users can obtain the patched release from the project's GitHub releases page at https://github.com/richardhbtz/soundcloud-rpc. If immediate upgrade is not feasible, cease using the application until patched, as no effective workaround exists - the vulnerability is inherent to the application's architecture of rendering untrusted SoundCloud metadata in privileged Electron contexts. Disabling the application would eliminate risk but also remove functionality. Network-level mitigations (firewalls, proxies) are ineffective because the malicious payload arrives through legitimate SoundCloud API traffic. The only compensating control is user awareness: avoid playing tracks from untrusted sources, though determining track trustworthiness is impractical for end users.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2026-30300 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy