CVE-2025-55204 HIGH

CVE-2025-55204: muffon has One-click Remote Code Execution via XSS and Custom URL Handling

Vendor Staniel359
Product muffon
Weakness CWE-94 · Code injection
Published January 5, 2026
Last update January 5, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue.

Key dates

02Disclosure timeline

January 5, 2026 CVE published
January 5, 2026 Record updated