CVE-2026-28412

Source
https://cve.org/CVERecord?id=CVE-2026-28412
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28412.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-28412
Aliases
  • GHSA-qr5p-7x47-qxh9
Published
2026-03-02T15:46:56.128Z
Modified
2026-04-10T05:42:20.297346Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Textream Vulnerable to Uncontrolled Resource Consumption (Denial of Service)
Details

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the DirectorServer WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28412.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400"
    ]
}
References

Affected packages

Git / github.com/f/textream

Affected ranges

Type
GIT
Repo
https://github.com/f/textream
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v1.*
v1.0.0
v1.0.1
v1.1.0
v1.2.0
v1.2.1
v1.2.3
v1.2.4
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28412.json"