CVE-2026-44482: CWE-20: Improper Input Validation in richardhbtz soundcloud-rpc
CVE-2026-44482 is a critical vulnerability in soundcloud-rpc versions prior to 0. 1. 8. The application improperly validates input from SoundCloud track metadata, allowing an attacker to embed HTML payloads in track titles. This payload executes locally within the Electron app, potentially leading to local command execution due to the rendering of untrusted HTML in privileged views with Node. js integration enabled. The vulnerability arises from trusting and forwarding track metadata through IPC without sanitization. This issue is fixed in version 0. 1. 8.
AI Analysis
Technical Summary
soundcloud-rpc before version 0.1.8 suffers from improper input validation (CWE-20) where attacker-controlled SoundCloud track metadata containing HTML payloads is executed locally in the Electron application. The app exposes a preload API that forwards track metadata from the remote SoundCloud page into the Electron main process via IPC. The metadata is then rendered as raw HTML inside privileged Electron views with Node.js integration enabled, enabling local command execution. This vulnerability is addressed in version 0.1.8.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary commands locally on the victim's machine by embedding malicious HTML in SoundCloud track titles. This can lead to full compromise of the user's environment running the vulnerable soundcloud-rpc client. The CVSS score of 9.6 reflects critical impact with high confidentiality, integrity, and availability consequences.
Mitigation Recommendations
Upgrade soundcloud-rpc to version 0.1.8 or later, where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Users should avoid using vulnerable versions to prevent local command execution risks.
CVE-2026-44482: CWE-20: Improper Input Validation in richardhbtz soundcloud-rpc
Description
CVE-2026-44482 is a critical vulnerability in soundcloud-rpc versions prior to 0. 1. 8. The application improperly validates input from SoundCloud track metadata, allowing an attacker to embed HTML payloads in track titles. This payload executes locally within the Electron app, potentially leading to local command execution due to the rendering of untrusted HTML in privileged views with Node. js integration enabled. The vulnerability arises from trusting and forwarding track metadata through IPC without sanitization. This issue is fixed in version 0. 1. 8.
CVSS v3.1
Score 9.6critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
soundcloud-rpc before version 0.1.8 suffers from improper input validation (CWE-20) where attacker-controlled SoundCloud track metadata containing HTML payloads is executed locally in the Electron application. The app exposes a preload API that forwards track metadata from the remote SoundCloud page into the Electron main process via IPC. The metadata is then rendered as raw HTML inside privileged Electron views with Node.js integration enabled, enabling local command execution. This vulnerability is addressed in version 0.1.8.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary commands locally on the victim's machine by embedding malicious HTML in SoundCloud track titles. This can lead to full compromise of the user's environment running the vulnerable soundcloud-rpc client. The CVSS score of 9.6 reflects critical impact with high confidentiality, integrity, and availability consequences.
Mitigation Recommendations
Upgrade soundcloud-rpc to version 0.1.8 or later, where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Users should avoid using vulnerable versions to prevent local command execution risks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-06T17:18:51.783Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a05e888ec166c07b0eee372
Added to database: 5/14/2026, 3:21:44 PM
Last enriched: 5/21/2026, 3:44:35 PM
Last updated: 6/6/2026, 12:38:28 PM
Views: 60
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.