CVE-2026-28412
MEDIUMTextream < 1.5.1 - Unauthenticated Denial of Service via WebSocket Connection Flood
Title source: llmDescription
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9
Patch x_refsource_misc
https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1
Scores
CVSS v3
6.5
EPSS
0.0026
EPSS Percentile
16.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
fka/textream
< 1.5.1
textream/textream
< 1.5.1
Published
Mar 02, 2026
Tracked Since
Mar 02, 2026