Cyber Resilience

CVE-2026-28403

HighPublic PoC

Published: 02 March 2026

Published
02 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
EPSS Score 0.0003 8.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28403 is a high-severity Origin Validation Error (CWE-346) vulnerability in Fka Textream. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28403 affects Textream, a free macOS teleprompter application prior to version 1.5.1. The vulnerability resides in the DirectorServer WebSocket server, which listens on ws://127.0.0.1:<httpPort+1> and accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake. This misconfiguration, mapped to CWE-346 (Origin Validation Error), enables cross-origin WebSocket connections and has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L).

An attacker can exploit this vulnerability by tricking a user into visiting a malicious web page within the same browser session as the Textream app. The malicious page can silently establish a WebSocket connection to the local DirectorServer and transmit arbitrary DirectorCommand payloads, granting full remote control over the teleprompter's content. No privileges are required beyond user interaction, making it accessible to remote attackers via social engineering.

The GitHub security advisory (GHSA-wr3v-x247-337w) and the fixing commit (f5ebad82750b9313386c34af8f0ede50c213a8a0) confirm that updating to Textream version 1.5.1 resolves the issue by implementing proper Origin header validation during the WebSocket handshake. Security practitioners should advise users to update the application immediately and consider monitoring for unexpected WebSocket traffic on localhost ports.

EU & UK References

Vulnerability details

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the `DirectorServer` WebSocket server (`ws://127.0.0.1:<httpPort+1>`) accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. A malicious web page visited in the same browser…

more

session can silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

The vulnerability enables a malicious webpage (visited via social engineering) to silently open a cross-origin WebSocket to the localhost DirectorServer and send arbitrary commands; this exactly matches the Drive-by Compromise (T1189) initial-access technique.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28412Same product: Fka Textream
CVE-2026-9989Shared CWE-346
CVE-2026-2790Shared CWE-346
CVE-2026-22663Same vendor: Fka
CVE-2026-35577Shared CWE-346
CVE-2026-22661Same vendor: Fka
CVE-2026-22665Same vendor: Fka
CVE-2026-45207Shared CWE-346
CVE-2024-57965Shared CWE-346
CVE-2025-1102Shared CWE-346

Affected Assets

fka
textream
≤ 1.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly addresses the CWE-346 Origin Validation Error by requiring validation of the HTTP Origin header during WebSocket handshakes to block unauthorized cross-origin connections.

prevent

AC-3 mandates enforcement of access controls on the DirectorServer WebSocket to restrict connections to authorized origins, preventing remote control via malicious web pages.

prevent

AC-4 enforces information flow policies to control unauthorized flows from untrusted browser contexts to the localhost WebSocket server.

References