What is the CVSS score of CVE-2026-28403?

CVE-2026-28403 has a CVSS 3.1 base score of 7.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of macOS are affected by CVE-2026-28403?

Textream, a macOS teleprompter application, contains a WebSocket vulnerability that allows attackers to bypass origin validation and potentially hijack local sessions through cross-site WebSocket…. A patch is available.

Is there a public PoC exploit available for CVE-2026-28403?

Yes, a public proof-of-concept exploit is available for CVE-2026-28403. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-28403?

Within 24 hours: Identify and inventory all macOS systems running Textream versions prior to 1.5.1 and restrict network access to affected systems. Within 7 days: Update all instances of Textream to version 1.5.1 or later and verify successful patch deployment. Within 30 days: Conduct audit of Textream usage across the organization and document baseline for future vulnerability tracking.

macOS CVE-2026-28403

HIGH

Origin Validation Error (CWE-346)

2026-03-02 security-advisories@github.com

macOS Textream

7.6

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.6 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 10, 2026 - 18:28 vuln.today

Public exploit code

Patch released

Mar 10, 2026 - 18:28 nvd

Patch available

CVE Published

Mar 02, 2026 - 16:16 nvd

HIGH 7.6

DescriptionGitHub Advisory

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the DirectorServer WebSocket server (ws://127.0.0.1:<httpPort+1>) accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary DirectorCommand payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.

AnalysisAI

Textream prior to version 1.5.1 fails to validate the Origin header during WebSocket handshake, allowing malicious websites to establish unauthorized connections to the local DirectorServer and inject arbitrary commands. An attacker can exploit this from a browser to gain full remote control of teleprompter content without user interaction beyond visiting a compromised page. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

User visits malicious web page

Exploit

Browser connects to local WebSocket server

Execution

Attacker sends DirectorCommand payloads

Impact

Teleprompter content remotely controlled