CVE-2026-8469

CVSS v4.0

8.2

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions phenixdigital phoenix storybook versions 0.2.0 through 1.0.x

Description An unauthenticated denial-of-service can occur via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to atom/1 without validation. Specifically, the following functions are affected:

handle set variation assign/3 interns every key of the psb-assign params map.
handle toggle variation assign/3 interns the attr value from psb-toggle events.
to variation id/2 interns elements of variation id.
to value/4 interns raw string values for attributes declared as :atom or :boolean.

BEAM atoms are never garbage-collected, meaning each unique attacker-controlled string results in a permanent allocation. When the atom table ceiling of approximately 1,048,576 atoms is reached, the entire BEAM node aborts, causing all applications running on it to crash.

Recommendations Update to version 1.1.0 or later.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

CVE-2026-8469

GHSA-833P-95JQ-929Q

Affected Products

Phoenix Storybook

CVE-2026-8469

Weakness Enumeration

Related Identifiers

Affected Products

References · 6