CVE-2026-28403

{"id": "CVE-2026-28403", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "published": "2026-03-02T16:16:25.750", "references": [{"url": "https://github.com/f/textream/commit/f5ebad82750b9313386c34af8f0ede50c213a8a0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/f/textream/security/advisories/GHSA-wr3v-x247-337w", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue."}, {"lang": "es", "value": "Textream es una aplicaci\u00f3n de telepr\u00f3nter gratuita para macOS. Antes de la versi\u00f3n 1.5.1, el servidor WebSocket 'DirectorServer' (ws://127.0.0.1:) acepta conexiones de cualquier origen sin validar la cabecera HTTP 'Origin' durante el handshake de WebSocket. Una p\u00e1gina web maliciosa visitada en la misma sesi\u00f3n del navegador puede conectarse silenciosamente al servidor WebSocket local y enviar cargas \u00fatiles 'DirectorCommand' arbitrarias, permitiendo el control remoto total del contenido del telepr\u00f3nter. La versi\u00f3n 1.5.1 corrige el problema."}], "lastModified": "2026-03-10T18:28:54.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fka:textream:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E99045B6-44DC-4400-9E55-4A06DDBCA51A", "versionEndExcluding": "1.5.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}