Refine your search
2 vulnerabilities found for textream by f
CVE-2026-28412 (GCVE-0-2026-28412)
Vulnerability from cvelistv5
Published
2026-03-02 15:46
Modified
2026-03-02 19:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28412",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T19:21:57.486841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T19:22:31.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "textream",
"vendor": "f",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T15:46:56.128Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9"
},
{
"name": "https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1"
}
],
"source": {
"advisory": "GHSA-qr5p-7x47-qxh9",
"discovery": "UNKNOWN"
},
"title": "Textream Vulnerable to Uncontrolled Resource Consumption (Denial of Service)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28412",
"datePublished": "2026-03-02T15:46:56.128Z",
"dateReserved": "2026-02-27T15:33:57.289Z",
"dateUpdated": "2026-03-02T19:22:31.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28403 (GCVE-0-2026-28403)
Vulnerability from cvelistv5
Published
2026-03-02 15:45
Modified
2026-03-02 19:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-346 - Origin Validation Error
Summary
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28403",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T19:26:46.910895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T19:27:12.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "textream",
"vendor": "f",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:\u003chttpPort+1\u003e`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T15:45:18.206Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w"
},
{
"name": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0"
}
],
"source": {
"advisory": "GHSA-wr3v-x247-337w",
"discovery": "UNKNOWN"
},
"title": "Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28403",
"datePublished": "2026-03-02T15:45:18.206Z",
"dateReserved": "2026-02-27T15:33:57.289Z",
"dateUpdated": "2026-03-02T19:27:12.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}