CVE-2026-8467
CriticalSummary
CVE-2026-8467 allows unauthenticated remote code execution in the phenixdigital phoenix_storybook application due to unsanitized attribute value interpolation in HEEx template generation.
Risk Assessment
Organizations may be exposed to remote code execution, potentially leading to system takeover or data leakage. An attacker can exploit this vulnerability to inject malicious code.
Recommendation
It is recommended to update to the latest version of phoenix_storybook and implement proper sanitization filters for attribute values before using them in templates. Access to the WebSocket should also be restricted for unauthenticated users.
Original NVD description (English source)
Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_str

