Textream is a free macOS teleprompter app. Prior to version 1.5.1, the DirectorServer WebSocket server (ws://127.0.0.1:<httpPort+1>) accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake. A malicious web page visited in the same browser session can silently connect to the local WebSocket server and send arbitrary DirectorCommand payloads, allowing full remote control of the teleprompter content. Version 1.5.1 fixes the issue.