CVE-2026-28412

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

T

extream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.

References

Link	Resource
https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1	Patch
https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:textream:textream:*:*:*:*:*:*:*:*

History

04 Mar 2026, 15:08

Type	Values Removed	Values Added
First Time		Textream textream Textream
References	~~() https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1 -~~	() https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1 - Patch
References	~~() https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9 -~~	() https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:textream:textream::::::::

02 Mar 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-02 16:16

Updated : 2026-03-04 15:08

NVD link : CVE-2026-28412

Mitre link : CVE-2026-28412

CVE.ORG link : CVE-2026-28412

JSON object : View

Products Affected

textream

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2026-28412", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-02T16:16:25.930", "references": [{"url": "https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue."}], "lastModified": "2026-03-04T15:08:31.960", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:textream:textream:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0BB4E255-2E87-4F37-8AEE-CBC51F481638", "versionEndExcluding": "1.5.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}