CVE-2026-28403
Published: 02 March 2026
Summary
CVE-2026-28403 is a high-severity Origin Validation Error (CWE-346) vulnerability in Fka Textream. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-28403 affects Textream, a free macOS teleprompter application prior to version 1.5.1. The vulnerability resides in the DirectorServer WebSocket server, which listens on ws://127.0.0.1:<httpPort+1> and accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake. This misconfiguration, mapped to CWE-346 (Origin Validation Error), enables cross-origin WebSocket connections and has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L).
An attacker can exploit this vulnerability by tricking a user into visiting a malicious web page within the same browser session as the Textream app. The malicious page can silently establish a WebSocket connection to the local DirectorServer and transmit arbitrary DirectorCommand payloads, granting full remote control over the teleprompter's content. No privileges are required beyond user interaction, making it accessible to remote attackers via social engineering.
The GitHub security advisory (GHSA-wr3v-x247-337w) and the fixing commit (f5ebad82750b9313386c34af8f0ede50c213a8a0) confirm that updating to Textream version 1.5.1 resolves the issue by implementing proper Origin header validation during the WebSocket handshake. Security practitioners should advise users to update the application immediately and consider monitoring for unexpected WebSocket traffic on localhost ports.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9200
Vulnerability details
Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser…
more
session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables a malicious webpage (visited via social engineering) to silently open a cross-origin WebSocket to the localhost DirectorServer and send arbitrary commands; this exactly matches the Drive-by Compromise (T1189) initial-access technique.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses the CWE-346 Origin Validation Error by requiring validation of the HTTP Origin header during WebSocket handshakes to block unauthorized cross-origin connections.
AC-3 mandates enforcement of access controls on the DirectorServer WebSocket to restrict connections to authorized origins, preventing remote control via malicious web pages.
AC-4 enforces information flow policies to control unauthorized flows from untrusted browser contexts to the localhost WebSocket server.