Search criteria
2 vulnerabilities by f
CVE-2026-28412 (GCVE-0-2026-28412)
Vulnerability from cvelistv5 – Published: 2026-03-02 15:46 – Updated: 2026-03-02 19:22
VLAI?
Title
Textream Vulnerable to Uncontrolled Resource Consumption (Denial of Service)
Summary
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28412",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T19:21:57.486841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T19:22:31.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "textream",
"vendor": "f",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T15:46:56.128Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9"
},
{
"name": "https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1"
}
],
"source": {
"advisory": "GHSA-qr5p-7x47-qxh9",
"discovery": "UNKNOWN"
},
"title": "Textream Vulnerable to Uncontrolled Resource Consumption (Denial of Service)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28412",
"datePublished": "2026-03-02T15:46:56.128Z",
"dateReserved": "2026-02-27T15:33:57.289Z",
"dateUpdated": "2026-03-02T19:22:31.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28403 (GCVE-0-2026-28403)
Vulnerability from cvelistv5 – Published: 2026-03-02 15:45 – Updated: 2026-03-02 19:27
VLAI?
Title
Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability
Summary
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.
Severity ?
7.6 (High)
CWE
- CWE-346 - Origin Validation Error
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28403",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T19:26:46.910895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T19:27:12.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "textream",
"vendor": "f",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:\u003chttpPort+1\u003e`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T15:45:18.206Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w"
},
{
"name": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0"
}
],
"source": {
"advisory": "GHSA-wr3v-x247-337w",
"discovery": "UNKNOWN"
},
"title": "Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28403",
"datePublished": "2026-03-02T15:45:18.206Z",
"dateReserved": "2026-02-27T15:33:57.289Z",
"dateUpdated": "2026-03-02T19:27:12.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}