CVE-2026-8467
published 2026-05-20CVE-2026-8467: Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in…
PriorityP266critical9.5CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.91%
55.4th percentile
Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.
The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.
This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phenixdigital | phoenix_storybook | >= 0.5.0 < 1.1.0 | 1.1.0 |
| phenixdigital | phoenix_storybook | >= 0.5.0 < 1.1.0 | 1.1.0 |
| phenixdigital | phoenix_storybook | >= e35379dfe2ef1a71b141899e36f431017c55265d < 56ab8464d4375fa52db806148a06cce126ad481d | 56ab8464d4375fa52db806148a06cce126ad481d |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
ghsa·2026-06-09
CVE-2026-8467 [CRITICAL] CWE-94 PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
### Summary
An unsafe HEEx template generation vulnerability allows any unauthenticated user to execute arbitrary code on the server. The phoenix_storybook playground accepts user-controlled attribute values over WebSocket and interpolates them unsanitized into a HEEx template that is subsequently compiled and evaluated with full Elixir `Kernel` access.
### Details
The vulnerability is a three-step chain:
**1. Unsanitized WebSocket input (`extra_assigns_helpers.ex`)**
The `psb-assign` event handler in `PhoenixStorybook.Story.PlaygroundPreviewLive` accepts arbitrary attribute names and values from unauthenticated WebSocket clients and stores them verbatim via `ExtraAssignsH
VulDB
phenixdigital phoenix_storybook up to 1.0.x Template String code injection
vuldb·2026-05-20·CVSS 9.5
CVE-2026-8467 [CRITICAL] phenixdigital phoenix_storybook up to 1.0.x Template String code injection
A vulnerability, which was classified as critical, has been found in phenixdigital phoenix_storybook up to 1.0.x. This affects an unknown part of the component Template String Handler. The manipulation leads to code injection.
This vulnerability is listed as CVE-2026-8467. The attack may be initiated remotely. There is no available exploit.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cna.erlef.org/cves/CVE-2026-8467.htmlhttps://github.com/phenixdigital/phoenix_storybook/commit/56ab8464d4375fa52db806148a06cce126ad481dhttps://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4phttps://osv.dev/vulnerability/EEF-CVE-2026-8467https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p
2026-05-20
Published