Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
Textream for macOS: Unsecured WebSocket Server Allows Remote Control
CVE-2026-28403
Summary
A security flaw in Textream's WebSocket server lets hackers remotely control a Mac's teleprompter app by visiting a malicious website. This means a bad actor could change the content being displayed without your permission. To fix this, update Textream to version 1.5.1 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| textream | textream | <= 1.5.1 | – |
| fka | textream | <= 1.5.1 | – |
Original title
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the H...
Original description
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.
nvd CVSS3.1
8.6
Vulnerability type
CWE-346
- https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0 Patch
- https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w Exploit Vendor Advisory Mitigation
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026