Description
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.
Published: 2026-03-02
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote control of the teleprompter via WebSocket hijacking
Action: Patch
AI Analysis

Impact

The vulnerability lies in the DirectorServer WebSocket that accepts connections from any origin without checking the HTTP Origin header during the handshake. A page loaded in the same browser session can silently connect to the local WebSocket server and send arbitrary DirectorCommand messages, giving the attacker full control over the teleprompter’s content. This flaw is a classic example of Cross‑Site WebSocket Hijacking and enables remote manipulation of the application from a web page.

Affected Systems

Textream, the free macOS teleprompter application, is affected on all versions earlier than 1.5.1. Users of these versions run an unpatched local WebSocket server that trusts all origins.

Risk and Exploitability

The CVSS score of 7.6 categorises the flaw as high severity, while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalogue. The most likely attack vector is a malicious web page that the target user visits while the same browser instance is running Textream; the attacker then establishes a WebSocket connection controlled by the page. The flaw does not require privilege escalation beyond what the user already has on the system.

Generated by OpenCVE AI on April 17, 2026 at 13:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Textream to version 1.5.1 or later, which validates the Origin header before accepting WebSocket connections.
  • If an upgrade is not immediately possible, block accesses to the director WebSocket port (127.0.0.1:<httpPort+1>) using local firewall rules or host‑based network policies.
  • Disable the DirectorServer WebSocket feature or restrict its use in the application settings if the vendor provides such an option.

Generated by OpenCVE AI on April 17, 2026 at 13:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Fka
Fka textream
CPEs cpe:2.3:a:textream:textream:*:*:*:*:*:*:*:* cpe:2.3:a:fka:textream:*:*:*:*:*:*:*:*
Vendors & Products Textream
Textream textream
Fka
Fka textream

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Textream
Textream textream
CPEs cpe:2.3:a:textream:textream:*:*:*:*:*:*:*:*
Vendors & Products Textream
Textream textream

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared F
F textream
Vendors & Products F
F textream

Mon, 02 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.
Title Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L'}

Subscriptions

F Textream
Fka Textream
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T19:27:12.422Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28403

cve-icon Vulnrichment

Updated: 2026-03-02T19:27:02.104Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T16:16:25.750

Modified: 2026-03-10T18:28:54.237

Link: CVE-2026-28403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses