CVE-2026-28412

Published: Mar 2, 2026Modified: Mar 10, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.

Affected (1)

Products: Fka: Textream

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Fka Textream	Before 1.5.1

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (2)

https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1

Source: security-advisories@github.com

Patch

https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.