SoundCloud Electron Client Track Title XSS RCE Flaw

A critical remote code execution vulnerability in the popular Soundcloud-RPC Electron desktop client allows attackers to execute arbitrary operating system commands on victims’ machines simply by embedding a malicious HTML payload inside a SoundCloud track title.

Tracked as CVE-2026-44482 and assigned a maximum-severity CVSS score of 9.3, the flaw was discovered by security researcher Matheus-HRM and disclosed publicly two weeks ago under advisory GHSA-p37x-32p8-445f.

soundcloud-rpc is a feature-rich SoundCloud desktop client built on the Electron framework, offering Discord Rich Presence integration, Dark Mode, Last.fm scrobbling, and ad-blocking capabilities.

It wraps SoundCloud’s web interface inside a native Electron application, bridging the gap between browser-based music streaming and OS-level desktop features.

The project is developed and maintained by GitHub user richardhbtz, and the vulnerability affects all versions up to and including 0.1.7. A patch was issued in version 0.1.8, and all users are strongly urged to update immediately.

SoundCloud Electron Client Vulnerability

The attack chain is elegantly simple and devastatingly effective. At its core, the application exposes a preload API window.soundcloudAPI.sendTrackUpdate directly to the remote SoundCloud page loaded inside the Electron renderer.

This bridge allows the external web page to push track metadata, including the track title and artist name, into the Electron main process via an IPC (Inter-Process Communication) message channel called soundcloud:track-update.

The critical mistake is threefold:

No input validation: The main process accepts the IPC message without verifying the sender’s origin or validating the structure or content of the metadata
Unsafe HTML rendering: Track metadata is injected directly into the DOM using innerHTML, which interprets any embedded HTML tags and JavaScript event handlers as live code
Insecure Electron configuration: The settings BrowserView is configured with nodeIntegration: true, contextIsolation: false, and sandbox: false a combination that grants renderer-side scripts full access to Node.js system APIs

When these three weaknesses are chained together, what begins as a stored XSS payload in a SoundCloud track title escalates into full local command execution, a well-documented class of Electron misconfiguration exploits seen in numerous high-profile apps.

The researcher confirmed this vulnerability by uploading a live SoundCloud track. The track title used was:

</div><img src=x onerror="require('child_process').exec('touch /tmp/1337')"><div>

When the victim opened the application and viewed or played the track, the malicious title flowed from the SoundCloud page → preload API → IPC → innerHTML render inside a Node.js-enabled BrowserView.

The onerror handler fired, invoked Node.js’s child_process.exec, and created the file /tmp/1337 on the local filesystem, providing full command execution with the victim’s user privileges.

The researcher noted that while the proof-of-concept was tested on Linux, the attack surface almost certainly extends to Windows and macOS, given that the underlying Electron misconfiguration is platform-agnostic.

The attack requires zero privileges on the attacker’s side and only a single user interaction on the victim’s side:

Attacker uploads a SoundCloud track with a crafted malicious title
The victim opens the SoundCloud-RPC Electron application
The victim plays or browses to the attacker-controlled track
The track title travels from the SoundCloud web view through the unvalidated IPC bridge
The title is rendered with innerHTML inside the Node.js-enabled BrowserView
The injected event handler executes with full Node.js require() access
Attacker achieves arbitrary command execution on the victim’s machine

The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H reflects the gravity of this scenario. A successful exploit could allow adversaries to read local files and SSH keys, steal browser session tokens, deploy persistent malware, exfiltrate application configurations, or launch additional processes, all running silently in the background of what appears to be a normal music-listening session.

The advisory maps four distinct CWE weaknesses to this vulnerability:

CWE-20 (Improper Input Validation) – The IPC handler trusts metadata from an untrusted remote source without schema enforcement
CWE-79 (Cross-Site Scripting) – Raw HTML from attacker-controlled track metadata is inserted into the DOM with innerHTML
CWE-94 (Code Injection) – The onerror The event handler executes injected JavaScript with Node.js privileges
CWE-862 (Missing Authorization) – No check exists to verify that the IPC sender is the legitimate SoundCloud BrowserView

This layered failure reflects a broader pattern in Electron application development, where developers leverage nodeIntegration: true for convenience without appreciating the catastrophic implications of combining that setting with untrusted remote content.

Remediation

The advisory recommends a defense-in-depth approach:

Replace innerHTML with safe DOM APIs like textContent to prevent HTML injection entirely
Harden webPreferences: Set nodeIntegration: false, contextIsolation: true, and sandbox: true in all UI BrowserViews
Validate IPC senders: Confirm that soundcloud:track-update messages originate only from the intended SoundCloud BrowserView, rejecting all others
Sanitize metadata inputs: Enforce string type checks, maximum length limits, HTTPS-only URL validation, and reject unexpected object shapes
Apply a strict Content Security Policy (CSP): Block inline scripts and event handlers on all privileged local views

FAQ

Q1: What is CVE-2026-44482?

CVE-2026-44482 is a critical RCE vulnerability in the SoundCloud-rpc Electron app, where malicious SoundCloud track titles execute OS commands on victims’ machines via unsafe innerHTML rendering in Node. js-enabled BrowserView.

Q2: Who is affected by this vulnerability?

All users running Soundcloud-RPC version 0.1.7 or earlier on any operating system are affected, as the Electron misconfiguration is platform-agnostic.

Q3: Has a patch been released?

Yes, version 0.1.8 of soundcloud-rpc patches CVE-2026-44482, and all users must update immediately to eliminate the risk.

Q4: What makes Electron apps particularly vulnerable to XSS-to-RCE escalation?

Electron apps configured with nodeIntegration: true and contextIsolation: false expose full Node.js APIs to the renderer process, allowing any XSS payload to call system functions like directly child_process.exec.

Site: thecybrdef.com

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.