Home / Vulnerability Intelligence / CVE-2026-28403

CVE-2026-28403 - Vulnerability Analysis

HighCVSS: 7.6

Last Updated: March 4, 2026

Textream - Cross-Origin WebSocket Vulnerability

Published: March 2, 2026Updated: March 4, 2026PoC AvailableRemote Exploitable

Overview

Textream < 1.5.1 contains a cross-origin WebSocket vulnerability caused by lack of Origin header validation in DirectorServer WebSocket server, letting malicious web pages remotely control teleprompter content, exploit requires victim to visit malicious web page in same browser session.

Severity & Score

Severity: High

CVSS Score: 7.6

EPSS Score: 1.4%(Probability of exploitation in next 30 days)

Impact

Attackers can remotely control teleprompter content via WebSocket commands, potentially disrupting presentations or displaying malicious content.

Mitigation

Update to version 1.5.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 2, 2026

🟠 CVE-2026-28403 - High (7.6) Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A maliciou... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28403/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28403
Severity: High
CVSS Score: 7.6
Type: undefined
Status: confirmed
EPSS: 1.4%
Social Posts: 1

CWE

CWE-346

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

EPSS Score

1.4%Probability of exploitation in the next 30 days