top of page
perceptive_background_267k.jpg

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections fro…

Published:

1 March 2026 at 23:00:00

Alert date:

2 March 2026 at 17:01:35

Source:

nvd.nist.gov

Click to open the original link from this advisory

Operating Systems, Web Technologies

CVE-2026-28403 affects Textream, a free macOS teleprompter app. Prior to version 1.5.1, the DirectorServer WebSocket server accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake. This allows malicious web pages visited in the same browser session to silently connect to the local WebSocket server and send arbitrary DirectorCommand payloads, enabling full remote control of the teleprompter content. The vulnerability was fixed in version 1.5.1.

Technical details

Mitigation steps:

Affected products:

Textream

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-28403
https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0
https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page