CVE-2026-8467
Code Injection in Phoenix Storybook via HEEx Template
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phenixdigital | phoenix_storybook | From 0.5.0 (inc) to 1.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to execute arbitrary code on the server hosting the phoenix_storybook application. Exploitation can lead to full remote code execution with the privileges of the server process, potentially allowing attackers to run operating system commands, access sensitive data, modify or delete files, and compromise the entire server environment.
Can you explain this vulnerability to me?
CVE-2026-8467 is a critical code injection vulnerability in the phoenix_storybook library versions 0.5.0 to before 1.1.0. It occurs because the psb-assign WebSocket event handler accepts arbitrary attribute names and values from unauthenticated clients without sanitization. These values are directly interpolated into HEEx templates without escaping, allowing an attacker to inject malicious Elixir code by crafting attribute values containing closing quotes and HEEx expression blocks. This injected code is then compiled and executed on the server with full Kernel access, enabling remote code execution.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is running a vulnerable version of the phoenix_storybook package, specifically versions greater than 0.5.0 and less than 1.1.0.
Since the vulnerability involves unsafe HEEx template generation via WebSocket event handlers, monitoring WebSocket traffic to the storybook endpoint for suspicious attribute values containing closing quotes followed by HEEx expression blocks may help detect exploitation attempts.
There are no specific commands provided in the resources to detect this vulnerability directly on the network or system.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the phoenix_storybook package to version 1.1.0 or later, where this vulnerability has been fixed.
The fix involves safer handling of runtime attributes by passing them as data and spreading them into component renders, validation of client-provided variation IDs and attribute names, and avoiding arbitrary atom creation from WebSocket input.
Additionally, if upgrading immediately is not possible, restricting access to the storybook endpoint to trusted users or internal networks can reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote code execution on the server, which can lead to unauthorized access and control over the system hosting the phoenix_storybook application.
Such unauthorized access and potential data breaches could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data and ensuring system integrity.
Exploitation of this vulnerability could compromise confidentiality, integrity, and availability of data, thereby violating security requirements mandated by these standards.