Unknown · Soundcloud-Rpc · CVE-2026-44482
**Name of the Vulnerable Software and Affected Versions**
soundcloud-rpc versions prior to 0.1.8
**Description**
An issue exists where track titles containing HTML payloads can be executed locally within the Electron application. Attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API 'window.soundcloudAPI.sendTrackUpdate' to the remote SoundCloud page, and track metadata is trusted and forwarded through Inter-Process Communication (IPC) into the Electron main process. This metadata is subsequently rendered as raw HTML inside privileged Electron views that have Node.js integration enabled.
**Recommendations**
Update to version 0.1.8.