CVE-2026-8467
Deferred Deferred - Pending Action
Code Injection in Phoenix Storybook via HEEx Template

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: EEF

Description
Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server. This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8467
EUVD
EUVD-2026-31112
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phenixdigital phoenix_storybook From 0.5.0 (inc) to 1.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8467 is a critical code injection vulnerability in the phoenix_storybook library versions 0.5.0 to before 1.1.0. It occurs because the psb-assign WebSocket event handler accepts arbitrary attribute names and values from unauthenticated clients without sanitization. These values are directly interpolated into HEEx templates without escaping, allowing an attacker to inject malicious Elixir code by crafting attribute values containing closing quotes and HEEx expression blocks. This injected code is then compiled and executed on the server with full Kernel access, enabling remote code execution.

Impact Analysis

This vulnerability allows unauthenticated attackers to execute arbitrary code on the server hosting the phoenix_storybook application. Exploitation can lead to full remote code execution with the privileges of the server process, potentially allowing attackers to run operating system commands, access sensitive data, modify or delete files, and compromise the entire server environment.

Compliance Impact

The vulnerability allows unauthenticated remote code execution on the server, which can lead to unauthorized access and control over the system hosting the phoenix_storybook application.

Such unauthorized access and potential data breaches could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data and ensuring system integrity.

Exploitation of this vulnerability could compromise confidentiality, integrity, and availability of data, thereby violating security requirements mandated by these standards.

Detection Guidance

This vulnerability can be detected by checking if your system is running a vulnerable version of the phoenix_storybook package, specifically versions greater than 0.5.0 and less than 1.1.0.

Since the vulnerability involves unsafe HEEx template generation via WebSocket event handlers, monitoring WebSocket traffic to the storybook endpoint for suspicious attribute values containing closing quotes followed by HEEx expression blocks may help detect exploitation attempts.

There are no specific commands provided in the resources to detect this vulnerability directly on the network or system.

Mitigation Strategies

The immediate mitigation step is to upgrade the phoenix_storybook package to version 1.1.0 or later, where this vulnerability has been fixed.

The fix involves safer handling of runtime attributes by passing them as data and spreading them into component renders, validation of client-provided variation IDs and attribute names, and avoiding arbitrary atom creation from WebSocket input.

Additionally, if upgrading immediately is not possible, restricting access to the storybook endpoint to trusted users or internal networks can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8467. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart