CVE-2026-28412 is an uncontrolled resource consumption vulnerability (CWE-400) affecting Textream, a free teleprompter application for macOS. The flaw exists in the DirectorServer WebSocket server component, which prior to version 1.5.1, imposes no restrictions on the number of concurrent client connections. The server uses a broadcast timer that sends state updates to all connected clients every 100 milliseconds. An attacker can exploit this by opening a large number of WebSocket connections simultaneously, causing the server to repeatedly send state data to an excessive number of clients. This results in rapid exhaustion of CPU and memory resources on the host system. The resource exhaustion leads to the Textream application freezing or crashing, particularly disruptive during live teleprompter sessions. The vulnerability requires no privileges or authentication but does require the attacker to initiate multiple WebSocket connections, which involves user interaction. The CVSS v3.1 base score is 6.5 (medium), reflecting the high impact on availability but no impact on confidentiality or integrity. The issue is resolved in Textream version 1.5.1 by implementing limits on concurrent WebSocket connections, preventing resource exhaustion. No known exploits are reported in the wild as of the publication date.

This vulnerability primarily impacts the availability of the Textream application during live teleprompter sessions. Organizations relying on Textream for presentations, broadcasts, or live events may experience application freezes or crashes, disrupting operations and causing potential reputational damage. The denial-of-service condition could delay or halt critical communications, especially in media, education, or corporate environments where teleprompters are used. Since the attack requires no authentication and can be performed remotely over the network, it increases the risk of opportunistic or targeted disruption. However, the impact is limited to the affected application and does not compromise data confidentiality or integrity. The scope is confined to macOS systems running vulnerable versions of Textream, limiting broader systemic impact. Nonetheless, the disruption of live sessions can have significant operational consequences for affected users worldwide.

The primary mitigation is to upgrade Textream to version 1.5.1 or later, which includes fixes that impose limits on concurrent WebSocket connections, preventing resource exhaustion. Until upgrading, organizations should consider network-level controls such as rate limiting or firewall rules to restrict the number of simultaneous WebSocket connections to the DirectorServer component. Monitoring system resource usage during teleprompter sessions can help detect abnormal spikes indicative of an attack. Implementing application-layer WebSocket connection throttling or authentication mechanisms could further reduce risk. Users should avoid exposing the DirectorServer WebSocket port to untrusted networks or the public internet. Additionally, educating users about the risk of connecting to untrusted clients or networks during live sessions can reduce attack vectors. Regularly reviewing and applying vendor security updates is essential to maintain protection.