Local Command Execution Vulnerability in SoundCloud Client by Discord
CVE-2026-44482

9.6CRITICAL

Key Information:

Vendor: Richardhbtz
Status: Soundcloud-rpc
Vendor: CVE Published:; 14 May 2026

🔔 Create Richardhbtz Vulnerability Alert

What is CVE-2026-44482?

The soundcloud-rpc application, a SoundCloud Client featuring Discord Rich Presence and other functionalities, has a vulnerability that allows for local command execution due to unsafe handling of track metadata. In versions prior to 0.1.8, maliciously crafted track titles comprising HTML payloads could be executed within the Electron app. This vulnerability arises from the application's reliance on trusted track metadata from SoundCloud, which is processed and rendered within privileged Electron contexts that have Node.js integration enabled. Users are urged to update to version 0.1.8 or later to mitigate this risk.

Affected Version(s)

soundcloud-rpc < 0.1.8

References

https://github.com/richardhbtz/soundcloud-rpc/security/ad...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44482 Data

JSON