stemdeckapp/stemdeck

v0.7.0-alpha.5 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 21h Dashboards & Home Pages

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Affected surfaces

auth rbac rce_ssrf

ReleasePort's take

Light signal

editorial:auto 20h

The release adds a Content‑Security‑Policy to the desktop webview disabling inline scripts and eval, fixes stored XSS via folder names, and narrows URL allowlists.

Why it matters: Content‑Security‑Policy (severity 80) blocks dangerous script injection; XSS fix (severity 70) protects user data. Both require immediate attention for affected surfaces.

Summary

AI summary

Updates Reliability, Installing, and Library across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Adds Content-Security-Policy to desktop webview, disallowing inline scripts and eval. Adds Content-Security-Policy to desktop webview, disallowing inline scripts and eval. Source: llm_adapter@2026-06-03 Confidence: high	—
Security	High	Fixes stored XSS vulnerability via library folder names by escaping and validating input. Fixes stored XSS vulnerability via library folder names by escaping and validating input. Source: llm_adapter@2026-06-03 Confidence: high	—
Security	Medium	Removes SoundCloud shortener URL from allowlist, restricting extractor URLs to YouTube and SoundCloud. Removes SoundCloud shortener URL from allowlist, restricting extractor URLs to YouTube and SoundCloud. Source: llm_adapter@2026-06-03 Confidence: high	—
Feature	Medium	Protects the Unsorted folder from deletion, hiding delete button and blocking operation. Protects the Unsorted folder from deletion, hiding delete button and blocking operation. Source: llm_adapter@2026-06-03 Confidence: high	—
Feature	Medium	Derives version from git tag, reporting correct version via /api/health endpoint. Derives version from git tag, reporting correct version via /api/health endpoint. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Fixes waveform and playback not loading on Windows by defaulting to streaming path. Fixes waveform and playback not loading on Windows by defaulting to streaming path. Source: llm_adapter@2026-06-03 Confidence: high	—

Full changelog

> [!IMPORTANT]

macOS ÔÇö first launch (no code signing yet). After dragging StemDeck to Applications, clear the Gatekeeper quarantine flag or macOS will say the app is damaged:
xattr -dr com.apple.quarantine /Applications/StemDeck.app
Optional ÔÇö fresh-install cleanup. To reproduce a true first-run with no leftover state from earlier builds, open each path in Finder via Go ÔåÆ Go to Folder (ÔçºÔîÿG) and move the folders to Trash:

~/Library/Application Support/StemDeck

~/Library/WebKit/app.stemdeck.desktop

~/Library/Caches/stemdeck

~/Library/Caches/app.stemdeck.desktop

You can also delete ~/Library/Preferences/app.stemdeck.desktop.plist the same way. This is optional ÔÇö the app will work without it.

What's new in 0.7.0 Alpha 5

Reliability

Fixed waveform and playback not loading on Windows. The Web Audio engine introduced in alpha.4 caused the Windows/WebView2 client to stall ÔÇö the waveform would take up to 60 seconds to show "nothing" and audio wouldn't play. The engine now defaults off on Windows (streaming path, same as alpha.3) and on everywhere else (macOS/Safari keep the smooth playback). (#179, #181)

Security

Content-Security-Policy added to the desktop webview. script-src 'self' with no unsafe-inline or eval ÔÇö injected markup can no longer run script or reach the Tauri API. Inline scripts and onclick handlers moved out of index.html into a proper module. (#177)
Stored XSS via library folder names fixed. Folder names are now escaped on render, and input validation rejects markup/symbols at creation time (letters, numbers, spaces, and - _ ' & ( ) . , only; 100-char max). (#176)
SoundCloud share shortener removed from URL allowlist. on.soundcloud.com redirects to arbitrary targets; dropped it and added a yt-dlp extractor allowlist so only YouTube and SoundCloud extractors can run. (#176)

Library

Unsorted folder is now protected from deletion. It's the default landing folder for unorganized tracks ÔÇö the delete button is hidden and the operation is blocked. (#178)

Version

Version now derived from the git tag. Source/Docker/self-hosted installs report the correct version via /api/health automatically. No more stale 0.6.0-alpha.2. (#176)

Installing

macOS: drop the .app into Applications and launch (run the xattr command above first).
Windows: unzip the downloaded .zip, then run StemDeck.exe from the extracted folder.

Artifact build

macOS arm64 and x64 DMGs and runtime packs were built and inspected on a macOS Woodpecker agent before upload.

Artifact scan

Windows portable packages were scanned with ClamAV in CI before upload.

Security Fixes

Content‑Security‑Policy added to desktop webview (`script-src 'self'`) eliminating unsafe inline script execution (#177)
Stored XSS via library folder names fixed by escaping and strict validation (allowed characters: letters, numbers, spaces, `- _ ' & ( ) . ,`; max 100 chars) (#176)
SoundCloud shortener `on.soundcloud.com` removed from URL allowlist; only YouTube and SoundCloud extractors permitted (#176)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track stemdeckapp/stemdeck

Get notified when new releases ship.

About stemdeckapp/stemdeck

All releases →

Related context

Related tools

Earlier breaking changes

v0.6.0-alpha.1 Moves library and stems storage from `~/Library/Application Support/` to `~/Documents/StemDeck/`.