CVE-2026-28403 – Textream macOS teleprompter app versions before... (How to Fix)

📋 TL;DR

Textream macOS teleprompter app versions before 1.5.1 have a WebSocket server that doesn't validate the Origin header, allowing malicious web pages to connect and remotely control teleprompter content. This affects macOS users running vulnerable Textream versions who visit compromised websites while the app is running.

💻 Affected Systems

Products:

Textream

Versions: All versions prior to 1.5.1

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Textream to be running and user to visit malicious website in same browser session

📦 What is this software?

Textream by Textream

View all CVEs affecting Textream →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could completely control teleprompter content, potentially displaying malicious or misleading information during live broadcasts or recordings.

🟠

Likely Case

Malicious websites could manipulate teleprompter text to display inappropriate content or disrupt presentations.

🟢

If Mitigated

With proper origin validation, only legitimate connections from the Textream app itself can control the teleprompter.

🌐 Internet-Facing: LOW (The WebSocket server only listens on localhost)

🏢 Internal Only: HIGH (Browser-based attacks can exploit this from within the same machine)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires JavaScript execution in browser and vulnerable Textream instance running

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.1

Vendor Advisory: https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w

Restart Required: Yes

Instructions:

1. Download Textream 1.5.1 or newer from official source
2. Install the update
3. Restart Textream application

🔧 Temporary Workarounds

Disable Textream when not in use

all

Close Textream application when not actively using teleprompter functionality

Use browser extensions to block WebSocket connections

all

Configure browser security extensions to block WebSocket connections to localhost

🧯 If You Can't Patch

Only run Textream when actively needed and close it immediately after use
Use separate browser profiles/sessions for general browsing vs teleprompter work

🔍 How to Verify

Check if Vulnerable:

Check Textream version in application settings or About dialog

Check Version:

Open Textream → Click 'Textream' menu → Select 'About Textream'

Verify Fix Applied:

Verify version is 1.5.1 or higher and test that WebSocket connections from unauthorized origins are rejected

📡 Detection & Monitoring

Log Indicators:

Unexpected WebSocket connection attempts to localhost ports
Unusual DirectorCommand payloads in application logs

Network Indicators:

WebSocket traffic from browser processes to localhost high-numbered ports
Unexpected DirectorCommand patterns in network captures

SIEM Query:

process:chrome.exe OR process:firefox.exe AND destination_port:>8000 AND protocol:websocket

📊 Metadata

CVE ID: CVE-2026-28403

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

CWE: CWE-346

Published: March 2, 2026

Last Updated: March 4, 2026

🔗 References

https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0 Patch
https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w Exploit,Vendor Advisory,Mitigation

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-28403, you might also want to check these: