Which versions of Phoenix Storybook are affected by CVE-2026-8467?

phenixdigital phoenix_storybook versions 0.5.0 through <1.1.0 contain a critical unauthenticated remote code execution vulnerability; publicly available exploit code exists.. A patch is available.

Phoenix Storybook CVE-2026-8467

Q: What is the CVSS score of CVE-2026-8467?

CVE-2026-8467 has a CVSS 4.0 base score of 9.5 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.3%.

EUVD-2026-31112 CRITICAL

Code Injection (CWE-94)

2026-05-20 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

RCE Code Injection

9.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 20, 2026 - 15:17 EUVD

Source Code Evidence Fetched

May 20, 2026 - 14:30 vuln.today

Analysis Generated

May 20, 2026 - 14:30 vuln.today

DescriptionNVD

Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.

The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.

This issue affects phoenix_storybook from 0.5.0 before 1.1.0.

AnalysisAI

Unauthenticated remote code execution in phenixdigital phoenix_storybook 0.5.0 through versions before 1.1.0 allows attackers to execute arbitrary Elixir code on the server by abusing the psb-assign WebSocket event to inject HEEx template expressions. The flaw stems from attribute values being interpolated verbatim into HEEx templates that are then compiled and evaluated with full Kernel imports and no sandbox. …

RemediationAI

Within 24 hours: Identify all systems using phoenix_storybook versions 0.5.0 through <1.1.0; assess direct exposure and network accessibility. Within 7 days: Upgrade to phoenix_storybook 1.1.0 or later, or isolate affected components from untrusted networks. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8467 vulnerability details – vuln.today

Back

Phoenix Storybook CVE-2026-8467

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Phoenix Storybook CVE-2026-8467

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code