A critical vulnerability in the soundcloud-rpc integration for Discord allows remote attackers to achieve local command execution on the user's machine via manipulated track metadata.

The application incorrectly handles track metadata, rendering it as raw HTML within privileged Electron views. This allows an attacker to execute arbitrary code locally by crafting a track title with a malicious payload.

Successful exploitation results in full local command execution on the victim's machine, potentially compromising all data and credentials stored on the host. With a CVSS score of 9.6, this flaw poses a severe risk to endpoint security and user confidentiality.

Immediate Action: Update the soundcloud-rpc application to version 0.1.8 or later.

Proactive Monitoring: Monitor for unexpected child processes spawned by the Electron-based application.

Compensating Controls: Restrict application permissions where possible and ensure the endpoint is protected by robust EDR solutions.

Public Exploit Available: Unknown

Users of the soundcloud-rpc integration should update immediately to mitigate the risk of remote code execution. Given the impact on the local operating system, this update should be treated with high urgency.