CVE-2026-44482: SoundCloud Client RCE via Malicious Track Metadata
The National Vulnerability Database has disclosed CVE-2026-44482, a critical vulnerability in soundcloud-rpc, a popular SoundCloud client. Prior to version 0.1.8, the application was susceptible to local command execution through specially crafted SoundCloud track titles. This flaw arises because the application exposes a window.soundcloudAPI.sendTrackUpdate preload API to the remote SoundCloud page.
Track metadata, including the title, is trusted and forwarded via inter-process communication (IPC) into the Electron main process. Crucially, the application then renders this metadata as raw HTML within privileged Electron views that have Node.js integration enabled. This means an attacker could embed an HTML payload in a track title, which would then execute arbitrary commands locally on a user’s machine when the track is viewed, leading to full system compromise.
This is a severe client-side vulnerability, rated 9.6 CRITICAL by the National Vulnerability Database. The attacker’s calculus is straightforward: entice a user to view a malicious track, and gain local command execution. Defenders should prioritize patching soundcloud-rpc to version 0.1.8 immediately to mitigate this risk. The vulnerability underscores the danger of rendering untrusted remote content as raw HTML in Electron applications, especially when Node.js integration is active.
What This Means For You
- If you or your team use the soundcloud-rpc client, you are exposed. An attacker only needs to get you to view a malicious track to compromise your system. Immediately update soundcloud-rpc to version 0.1.8. This isn't just a minor bug; it's a critical RCE that can give an attacker a foothold on your machine.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44482: SoundCloud Client RCE via Malicious Track Metadata
title: CVE-2026-44482: SoundCloud Client RCE via Malicious Track Metadata
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
Detects the execution of a process spawned by the soundcloud-rpc application where the command line contains a javascript: URI, indicating a potential attempt to exploit CVE-2026-44482 by rendering malicious HTML metadata in an Electron view.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44482/
tags:
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- 'C:\Users'
ParentImage|contains:
- 'soundcloud-rpc'
CommandLine|contains:
- 'javascript:'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44482 | RCE | soundcloud-rpc < 0.1.8 |
| CVE-2026-44482 | Code Injection | soundcloud-rpc: HTML payload in track title |
| CVE-2026-44482 | XSS | soundcloud-rpc: rendering track metadata as raw HTML in Electron views |
| CVE-2026-44482 | Information Disclosure | soundcloud-rpc: preload API (window.soundcloudAPI.sendTrackUpdate) exposed to remote SoundCloud page |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 18:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-42589: Gotenberg RCE via ExifTool Argument Injection
CVE-2026-42589 — Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes...
CVE-2026-42283: DevSpace UI WebSocket Exposes Developer Endpoints
CVE-2026-42283 — DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins...
CVE-2026-40893: Gotenberg Allows Arbitrary File Manipulation
CVE-2026-40893 — Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName...