CVE

CVE-2026-28403

Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability

CVE

CVE-2026-28403

Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the DirectorServer WebSocket server (ws://127.0.0.1:<httpPort+1>) accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary DirectorCommand payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.6

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28403.json, https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w, https://nvd.nist.gov/vuln/detail/CVE-2026-28403, https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0

Severity

7.6

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.6

EPSS Probability

0.00028%

EPSS Percentile

0.08202%

Introduced Version

Fix Available

3524fa96f98ba17025b48ce9e19d49d859fc2ec1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-28403

CVE-2026-28403

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

7.6

Basic Information

Fix Critical Vulnerabilities Instantly