{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28403", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:33:57.289Z", "datePublished": "2026-03-02T15:45:18.206Z", "dateUpdated": "2026-03-02T19:27:12.422Z"}, "containers": {"cna": {"title": "Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w"}, {"name": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0", "tags": ["x_refsource_MISC"], "url": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0"}], "affected": [{"vendor": "f", "product": "textream", "versions": [{"version": "< 1.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-02T15:45:18.206Z"}, "descriptions": [{"lang": "en", "value": "Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue."}], "source": {"advisory": "GHSA-wr3v-x247-337w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T19:26:46.910895Z", "id": "CVE-2026-28403", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T19:27:12.422Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28403", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T19:26:46.910895Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T19:27:02.104Z"}}], "cna": {"title": "Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability", "source": {"advisory": "GHSA-wr3v-x247-337w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "f", "product": "textream", "versions": [{"status": "affected", "version": "< 1.5.1"}]}], "references": [{"url": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w", "name": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0", "name": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-02T15:45:18.206Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28403", "state": "PUBLISHED", "dateUpdated": "2026-03-02T19:27:12.422Z", "dateReserved": "2026-02-27T15:33:57.289Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-02T15:45:18.206Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fka:textream:*:*:*:*:*:*:*:*", "matchCriteriaId": "E99045B6-44DC-4400-9E55-4A06DDBCA51A", "versionEndExcluding": "1.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue."}, {"lang": "es", "value": "Textream es una aplicaci\u00f3n de telepr\u00f3nter gratuita para macOS. Antes de la versi\u00f3n 1.5.1, el servidor WebSocket 'DirectorServer' (ws://127.0.0.1:) acepta conexiones de cualquier origen sin validar la cabecera HTTP 'Origin' durante el handshake de WebSocket. Una p\u00e1gina web maliciosa visitada en la misma sesi\u00f3n del navegador puede conectarse silenciosamente al servidor WebSocket local y enviar cargas \u00fatiles 'DirectorCommand' arbitrarias, permitiendo el control remoto total del contenido del telepr\u00f3nter. La versi\u00f3n 1.5.1 corrige el problema."}], "id": "CVE-2026-28403", "lastModified": "2026-03-10T18:28:54.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-02T16:16:25.750", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "textream", "source": "cna", "vendor": "f"}, "product": "textream", "vendor": "f"}], "analysis": {"en": {"generated_at": "2026-04-17T13:35:03.269297+00:00", "value": {"mitigation_remediation": ["Upgrade Textream to version 1.5.1 or later, which validates the Origin header before accepting WebSocket connections.", "If an upgrade is not immediately possible, block accesses to the director WebSocket port (127.0.0.1:<httpPort+1>) using local firewall rules or host\u2011based network policies.", "Disable the DirectorServer WebSocket feature or restrict its use in the application settings if the vendor provides such an option."], "summary": {"action": "Patch", "impact": "Remote control of the teleprompter via WebSocket hijacking"}, "threat_synthesis": {"affected_systems": "Textream, the free macOS teleprompter application, is affected on all versions earlier than 1.5.1. Users of these versions run an unpatched local WebSocket server that trusts all origins.", "description_and_impact": "The vulnerability lies in the DirectorServer WebSocket that accepts connections from any origin without checking the HTTP Origin header during the handshake. A page loaded in the same browser session can silently connect to the local WebSocket server and send arbitrary DirectorCommand messages, giving the attacker full control over the teleprompter\u2019s content. This flaw is a classic example of Cross\u2011Site WebSocket Hijacking and enables remote manipulation of the application from a web page.", "risk_and_exploitability": "The CVSS score of 7.6 categorises the flaw as high severity, while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalogue. The most likely attack vector is a malicious web page that the target user visits while the same browser instance is running Textream; the attacker then establishes a WebSocket connection controlled by the page. The flaw does not require privilege escalation beyond what the user already has on the system."}}}}, "created": "2026-03-03T08:44:44.192620+00:00", "updated": "2026-04-17T13:45:16.022726+00:00", "vendors": ["f", "f$PRODUCT$textream"]}