CVE-2026-28412

Textream Vulnerable to Uncontrolled Resource Consumption (Denial of Service)

CVSS 6.5 MEDIUMEPSS 0.3%CWE-400

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.5EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

02 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected products

f · textream

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1 https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9