Unrated severityNVD Advisory· Published Mar 2, 2026· Updated Mar 2, 2026

Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability

CVE-2026-28403

Description

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the DirectorServer WebSocket server (ws://127.0.0.1:<httpPort+1>) accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary DirectorCommand payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.

Affected products

Textream/Textreamllm-fuzzy
Range: <1.5.1
f/textreamv5
Range: < 1.5.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0mitrex_refsource_MISC
github.com/f/textream/security/advisories/GHSA-wr3v-x247-337wmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000