Description
Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.

The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.

This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
Published: 2026-05-20
Score: 9.5 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-55hg-8qxv-qj4p PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
History

Thu, 21 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 20 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server. This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
Title Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
First Time appeared Phenixdigital
Phenixdigital phoenix Storybook
Weaknesses CWE-94
CPEs cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
Vendors & Products Phenixdigital
Phenixdigital phoenix Storybook
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

Phenixdigital Phoenix Storybook
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:41:02.357Z

Reserved: 2026-05-13T11:44:40.790Z

Link: CVE-2026-8467

cve-icon Vulnrichment

Updated: 2026-05-21T13:58:17.166Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T14:17:04.283

Modified: 2026-06-17T11:03:57.860

Link: CVE-2026-8467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:19:15Z

Weaknesses