CVE-2026-28412

Textream Vulnerable to Uncontrolled Resource Consumption (Denial of Service)

CVSS 6.5 MEDIUMEPSS 0.3%CWE-400

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 6.5EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

02 mar 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Produtos afetados

f · textream

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1 https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9