CVE-2026-28412

MEDIUM

Textream <1.5.1 - DoS

Title source: llm

Description

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.

References (2)

[Vendor Advisory] https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9

[Patch] https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 16.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (2)

fka/textream < 1.5.1

textream/textream < 1.5.1

Published Mar 02, 2026

Tracked Since Mar 02, 2026