CVE-2026-28403
7.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Summary
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the DirectorServer WebSocket server (ws://127.0.0.1:<httpPort+1>) accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary DirectorCommand payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| f | textream | < 1.5.1 | affected |
Weaknesses
- CWE-346: CWE-346: Origin Validation Error
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w
- https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.