cbcvebase.
CVE-2025-55204
published 2026-01-05

CVE-2025-55204: muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An…

PriorityP261critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.60%
44.2th percentile
muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
muffonmuffon< 2.3.02.3.0
staniel359muffon< 2.3.02.3.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.