Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2026-8467— Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground

AI Predicted 9.8 Difficulty: Easy EPSS 0.41% · P61

Affected Version Matrix 2

VendorProductVersion RangeStatus
phenixdigitalphoenix_storybook0.5.0< 1.1.0affected
e35379dfe2ef1a71b141899e36f431017c55265d< 56ab8464d4375fa52db806148a06cce126ad481daffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-8467

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Source: NVD (National Vulnerability Database)
Vulnerability Description
Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server. This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
PhoenixStorybook 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
PhoenixStorybook是Phenix Digital开源的一个组件展示与交互调试的UI工具。 PhoenixStorybook 0.5.0版本至1.1.0之前版本存在代码注入漏洞,该漏洞源于未清理的属性值插值导致HEEx模板生成中代码注入,可能使未经验证的攻击者实现远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
phenixdigitalphoenix_storybook 0.5.0 ~ 1.1.0 cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
phenixdigitalphoenix_storybook e35379dfe2ef1a71b141899e36f431017c55265d ~ 56ab8464d4375fa52db806148a06cce126ad481d cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*

II. Public POCs for CVE-2026-8467

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-8467

登录查看更多情报信息。

Patches & Fixes for CVE-2026-8467 (1)

Vendor Advisories for CVE-2026-8467 (3)

Same Patch Batch · phenixdigital · 2026-05-20 · 3 CVEs total

CVE-2026-47068Cross-session PubSub topic injection via URL parameter in phoenix_storybook
CVE-2026-8469Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook

IV. Related Vulnerabilities

Same product: phoenix_storybook
Same vendor: phenixdigital
Same weakness: CWE-94

V. Comments for CVE-2026-8467

No comments yet

Leave a comment