CVE-2026-28403

Name of the Vulnerable Software and Affected Versions Textream versions prior to 1.5.1

Description The application is a macOS teleprompter. A Cross-Site WebSocket Hijacking (CSWSH) condition exists in the DirectorServer WebSocket server (ws://127.0.0.1:<httpPort+1>). The server does not validate the HTTP Origin header during the WebSocket handshake, allowing connections from any origin. A malicious web page, accessed during the same browser session, can connect to the WebSocket server and send arbitrary DirectorCommand payloads, enabling full remote control of the teleprompter content.

Recommendations Update to version 1.5.1 or later.