CVE-2026-44482

Name of the Vulnerable Software and Affected Versions soundcloud-rpc versions prior to 0.1.8

Description An issue exists where track titles containing HTML payloads can be executed locally within the Electron application. Attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API 'window.soundcloudAPI.sendTrackUpdate' to the remote SoundCloud page, and track metadata is trusted and forwarded through Inter-Process Communication (IPC) into the Electron main process. This metadata is subsequently rendered as raw HTML inside privileged Electron views that have Node.js integration enabled.

Recommendations Update to version 0.1.8.