CVE-2026-28412 MEDIUM

CVE-2026-28412: Textream Vulnerable to Uncontrolled Resource Consumption (Denial of Service)

Vendor F
Product textream
Weakness CWE-400
Published March 2, 2026
Last update March 2, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.

Key dates

02Disclosure timeline

March 2, 2026 CVE published
March 2, 2026 Record updated