{"affected":[{"package":{"ecosystem":"Hex","name":"phoenix_storybook","purl":"pkg:hex/phoenix_storybook"},"ranges":[{"events":[{"introduced":"0.5.0"},{"fixed":"1.1.0"}],"type":"SEMVER"}],"versions":["0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.6.0","0.6.1","0.6.2","0.6.3","0.6.4","0.7.0","0.7.1","0.7.2","0.8.0","0.8.1","0.8.2","0.8.3","0.9.0","0.9.1","0.9.2","0.9.3","1.0.0"]},{"ranges":[{"events":[{"introduced":"e35379dfe2ef1a71b141899e36f431017c55265d"},{"fixed":"56ab8464d4375fa52db806148a06cce126ad481d"}],"repo":"https://github.com/phenixdigital/phoenix_storybook","type":"GIT"}]}],"aliases":["GHSA-55hg-8qxv-qj4p","CVE-2026-8467"],"credits":[{"name":"Nick Mykhailyshyn","type":"FINDER"},{"name":"Cenk Kücük","type":"ANALYST"},{"name":"Christian Blavier","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen","type":"COORDINATOR"}],"database_specific":{"capec_ids":["CAPEC-242"],"cpe_ids":["cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-94"]},"details":"## Summary\n\nCode Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.\n\nThe psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name=\"<val>\" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo\" injected={EXPR} bar=\"), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.\n\nThis issue affects phoenix_storybook from 0.5.0 before 1.1.0.","id":"EEF-CVE-2026-8467","modified":"2026-05-20T13:35:29.018Z","published":"2026-05-20T13:35:29.018Z","references":[{"type":"ADVISORY","url":"https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-8467.html"},{"type":"FIX","url":"https://github.com/phenixdigital/phoenix_storybook/commit/56ab8464d4375fa52db806148a06cce126ad481d"},{"type":"PACKAGE","url":"https://hex.pm/packages/phoenix_storybook"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","type":"CVSS_V4"}],"summary":"Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground","upstream":[]}