Description
Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.

The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.

This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
Published: 2026-05-20
Score: 9.5 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A code injection flaw in the Phoenix Storybook WebSocket event handler allows any client to insert arbitrary HEEx template fragments. The framework blindly interpolates attribute values into the template string, so the attacker can close the attribute value and inject an Elixir expression. The injected expression is compiled and executed with full Kernel access, granting the attacker complete control over the server. This represents a classic Code Injection vulnerability (CWE‑94).

Affected Systems

The affected product is Phenixdigital Phoenix Storybook, versions 0.5.0 up to but not including 1.1.0.

Risk and Exploitability

The CVSS score is 9.5, indicating critical severity. No EPSS score is available, but the lack of a known exploitation probability does not diminish the risk posed by a remote unauthenticated vector. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs network access to the WebSocket endpoint and can trigger the flaw by sending an appropriately crafted psb‑assign event. Because the payload is executed with full kernel imports and no sandbox, the risk of arbitrary code execution is immediate once the exploit is delivered.

Generated by OpenCVE AI on May 20, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Phoenix Storybook to version 1.1.0 or later, which removes the unsanitized interpolation logic.
  • If an upgrade is not possible, restrict access to the psb-assign WebSocket endpoint so that only authenticated users can interact with it, or otherwise block unauthenticated traffic.
  • Add server‑side sanitization for attribute names and values before inserting them into template strings, ensuring that double quotes and HEEx delimiters are escaped or otherwise prohibited.

Generated by OpenCVE AI on May 20, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server. This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
Title Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
First Time appeared Phenixdigital
Phenixdigital phoenix Storybook
Weaknesses CWE-94
CPEs cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
Vendors & Products Phenixdigital
Phenixdigital phoenix Storybook
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Phenixdigital Phoenix Storybook
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-20T13:35:29.018Z

Reserved: 2026-05-13T11:44:40.790Z

Link: CVE-2026-8467

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-20T14:17:04.283

Modified: 2026-05-20T14:23:14.993

Link: CVE-2026-8467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T15:30:33Z

Weaknesses