CVE-2026-28412

{"id": "CVE-2026-28412", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-02T16:16:25.930", "references": [{"url": "https://github.com/f/textream/commit/3524fa96f98ba17025b48ce9e19d49d859fc2ec1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/f/textream/security/advisories/GHSA-qr5p-7x47-qxh9", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue."}, {"lang": "es", "value": "Textream es una aplicaci\u00f3n de telepr\u00f3mpter gratuita para macOS. Antes de la versi\u00f3n 1.5.1, el servidor WebSocket 'DirectorServer' no impone l\u00edmite en las conexiones concurrentes. Combinado con un temporizador de difusi\u00f3n que env\u00eda el estado a todos los clientes conectados cada 100 ms, un atacante puede agotar la CPU y la memoria inundando el servidor con conexiones, causando que la aplicaci\u00f3n Textream se congele y falle durante una sesi\u00f3n en vivo. La versi\u00f3n 1.5.1 soluciona el problema."}], "lastModified": "2026-03-10T18:23:12.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fka:textream:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E99045B6-44DC-4400-9E55-4A06DDBCA51A", "versionEndExcluding": "1.5.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}