CVE-2026-8467

Name of the Vulnerable Software and Affected Versions phoenix storybook versions 0.5.0 through 1.0.x

Description Unauthenticated remote code execution is possible due to unsanitized attribute value interpolation during HEEx template generation. The psb-assign WebSocket event handler in the handle event/3 function of Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive accepts arbitrary attribute names and values from unauthenticated clients. These are processed by the handle set variation assign/3 function in Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers and stored verbatim. During rendering, the attributes markup/1 function in Elixir.PhoenixStorybook.Rendering.ComponentRenderer interpolates these values into a HEEx template string without escaping double quotes or expression delimiters. An attacker can inject a closing quote followed by a HEEx expression block, which is then compiled via EEx.compile string/2 and executed via Code.eval quoted with env/3 with full Kernel imports and no sandbox, allowing arbitrary code execution on the server.

Recommendations Update phoenix storybook to version 1.1.0 or later.