CVE-2026-28412 - Vulnerability Details

- Textream Vulnerable to Uncontrolled Resource Consumption (Denial of Service)

Description

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.

Published: 2026-03-02

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from a lack of limits on concurrent WebSocket connections to the DirectorServer. Coupled with a broadcast timer that pushes state updates every 100 ms to all clients, an attacker can flood the server with connections, causing the application to consume excessive CPU and memory and eventually freeze or crash during a live broadcast. This leads to a denial of service for the user running the teleprompter during critical sessions.

Affected Systems

The affected product is Textream, a macOS teleprompter application by the vendor f:. Versions prior to 1.5.1 are vulnerable; version 1.5.1 includes the fix that restricts the connection count.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium-to-high severity vulnerability, while the EPSS score of less than 1 % suggests that, at the time of analysis, exploitation is considered unlikely. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, as it relies on WebSocket connections that can be established from external clients. An attacker would need network access to the machine running Textream to initiate the flood of connections.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

textream

affected

Version	Status	Constraints
`< 1.5.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:fka:textream:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Textream

100%

Version	Status	Scheme	Platform
`[0,1.5.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the update to Textream v1.5.1 or newer to enforce a limit on concurrent WebSocket connections.
Restrict inbound WebSocket connections by configuring the local firewall or network settings, thereby limiting the number of connections that can reach the DirectorServer.
Monitor system resource consumption during live teleprompter sessions; if CPU or memory usage spikes, terminate the application to prevent prolonged denial of service.

Generated by OpenCVE AI on April 17, 2026 at 13:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1
https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9

History

Tue, 10 Mar 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fka Fka textream
CPEs	cpe:2.3:a:textream:textream::::::::	cpe:2.3:a:fka:textream::::::::
Vendors & Products	Textream Textream textream	Fka Fka textream

Wed, 04 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Textream Textream textream
CPEs		cpe:2.3:a:textream:textream::::::::
Vendors & Products		Textream Textream textream

Wed, 04 Mar 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		F F textream
Vendors & Products		F F textream

Mon, 02 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.
Title		Textream Vulnerable to Uncontrolled Resource Consumption (Denial of Service)
Weaknesses		CWE-400
References		https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1 https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

Subscriptions

F Textream

Fka Textream

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-02T15:46:56.128Z

Updated: 2026-03-02T19:22:31.210Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28412

Vulnrichment

Updated: 2026-03-02T19:22:23.285Z

NVD

Status : Analyzed

Published: 2026-03-02T16:16:25.930

Modified: 2026-03-10T18:23:12.377

Link: CVE-2026-28412

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object