CVE-2026-28403 (GCVE-0-2026-28403)

Vulnerability from cvelistv5 – Published: 2026-03-02 15:45 – Updated: 2026-03-02 19:27
VLAI?
Title
Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability
Summary
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.
Severity ?
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
CWE
  • CWE-346 - Origin Validation Error
Assigner
References
Impacted products
Vendor Product Version
f textream Affected: < 1.5.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28403",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-02T19:26:46.910895Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-02T19:27:12.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "textream",
          "vendor": "f",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:\u003chttpPort+1\u003e`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346: Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-02T15:45:18.206Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w"
        },
        {
          "name": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0"
        }
      ],
      "source": {
        "advisory": "GHSA-wr3v-x247-337w",
        "discovery": "UNKNOWN"
      },
      "title": "Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28403",
    "datePublished": "2026-03-02T15:45:18.206Z",
    "dateReserved": "2026-02-27T15:33:57.289Z",
    "dateUpdated": "2026-03-02T19:27:12.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-28403",
      "date": "2026-04-16",
      "epss": "0.00025",
      "percentile": "0.0668"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28403\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-02T16:16:25.750\",\"lastModified\":\"2026-03-10T18:28:54.237\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:\u003chttpPort+1\u003e`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Textream es una aplicaci\u00f3n de telepr\u00f3nter gratuita para macOS. Antes de la versi\u00f3n 1.5.1, el servidor WebSocket \u0027DirectorServer\u0027 (ws://127.0.0.1:) acepta conexiones de cualquier origen sin validar la cabecera HTTP \u0027Origin\u0027 durante el handshake de WebSocket. Una p\u00e1gina web maliciosa visitada en la misma sesi\u00f3n del navegador puede conectarse silenciosamente al servidor WebSocket local y enviar cargas \u00fatiles \u0027DirectorCommand\u0027 arbitrarias, permitiendo el control remoto total del contenido del telepr\u00f3nter. La versi\u00f3n 1.5.1 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-346\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fka:textream:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.5.1\",\"matchCriteriaId\":\"E99045B6-44DC-4400-9E55-4A06DDBCA51A\"}]}]}],\"references\":[{\"url\":\"https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28403\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-02T19:26:46.910895Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-02T19:27:02.104Z\"}}], \"cna\": {\"title\": \"Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability\", \"source\": {\"advisory\": \"GHSA-wr3v-x247-337w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"f\", \"product\": \"textream\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.5.1\"}]}], \"references\": [{\"url\": \"https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w\", \"name\": \"https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0\", \"name\": \"https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:\u003chttpPort+1\u003e`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-346\", \"description\": \"CWE-346: Origin Validation Error\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-02T15:45:18.206Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-28403\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-02T19:27:12.422Z\", \"dateReserved\": \"2026-02-27T15:33:57.289Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-02T15:45:18.206Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.