What is the CVSS score of CVE-2026-28412?

CVE-2026-28412 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of macOS are affected by CVE-2026-28412?

Organizations using Textream should be aware of notable risk from CVE-2026-28412, a resource exhaustion vulnerability rated CVSS 6.5. Service availability could be impacted.. A patch is available.

Is there a public PoC exploit available for CVE-2026-28412?

Yes, a public proof-of-concept exploit is available for CVE-2026-28412. Prioritise patching immediately. EPSS: 0.0%.

macOS CVE-2026-28412

MEDIUM

Uncontrolled Resource Consumption (CWE-400)

2026-03-02 security-advisories@github.com

Denial Of Service macOS Textream

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 10, 2026 - 18:23 vuln.today

Public exploit code

Patch released

Mar 10, 2026 - 18:23 nvd

Patch available

CVE Published

Mar 02, 2026 - 16:16 nvd

MEDIUM 6.5

DescriptionNVD

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the DirectorServer WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server with connections, causing the Textream application to freeze and crash during a live session. Version 1.5.1 fixes the issue.

AnalysisAI

Textream versions prior to 1.5.1 lack connection limits on the DirectorServer WebSocket, allowing remote attackers to trigger denial of service by flooding the server with requests that trigger periodic state broadcasts, exhausting system resources and crashing the application during live sessions. Public exploit code exists for this vulnerability. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28412 vulnerability details – vuln.today

Back

macOS CVE-2026-28412

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code