Skip to main content

Phoenix Storybook EUVDEUVD-2026-31112

| CVE-2026-8467 CRITICAL
Code Injection (CWE-94)
2026-05-20 6b3ad84c-e1a6-4bf7-a703-f496b71e49db GHSA-55hg-8qxv-qj4p
9.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.5 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 20, 2026 - 15:17 EUVD
Source Code Evidence Fetched
May 20, 2026 - 14:30 vuln.today
Analysis Generated
May 20, 2026 - 14:30 vuln.today

DescriptionCVE.org

Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.

The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.

This issue affects phoenix_storybook from 0.5.0 before 1.1.0.

AnalysisAI

Unauthenticated remote code execution in phenixdigital phoenix_storybook 0.5.0 through versions before 1.1.0 allows attackers to execute arbitrary Elixir code on the server by abusing the psb-assign WebSocket event to inject HEEx template expressions. The flaw stems from attribute values being interpolated verbatim into HEEx templates that are then compiled and evaluated with full Kernel imports and no sandbox. Publicly available exploit code exists via the upstream commit and GHSA advisory, though no public exploit identified at time of analysis for in-the-wild use; CVSS 4.0 score is 9.5.

Technical ContextAI

Phoenix Storybook is an Elixir/Phoenix LiveView development tool for showcasing UI components in a 'storybook' style sandbox, similar to the JavaScript Storybook ecosystem. The vulnerability is a classic CWE-94 (Improper Control of Generation of Code, i.e., Code Injection) realized through template injection: the PlaygroundPreviewLive LiveView accepts arbitrary attribute names/values from WebSocket clients via the psb-assign event, passes them through ExtraAssignsHelpers.handle_set_variation_assign/3 unsanitized, and the ComponentRenderer.attributes_markup/1 function interpolates binary values directly into a HEEx string of the form name="<val>" without escaping double quotes or HEEx delimiters ({...}). The resulting string is compiled by EEx.compile_string/2 and executed by Code.eval_quoted_with_env/3 with the standard Kernel module imported, meaning any Elixir expression - including System.cmd/2 or File operations - runs with the BEAM process privileges. Affected component identifiers per CPE-style references map to hex package phenixdigital/phoenix_storybook versions >=0.5.0, <1.1.0.

RemediationAI

Vendor-released patch: upgrade phoenix_storybook to version 1.1.0 or later in mix.exs and run mix deps.update phoenix_storybook (see GHSA-55hg-8qxv-qj4p). If immediate upgrade is not feasible, the most effective compensating control is to ensure the storybook routes (typically mounted with PhoenixStorybook.Router.live_storybook/2) are not exposed in production or any internet-reachable environment - gate them behind an authenticated pipeline or remove the mount entirely from prod router configuration; the trade-off is loss of storybook availability for whoever was using it in that environment. Additionally, block WebSocket upgrades to the storybook LiveView path at the reverse proxy or WAF (e.g., deny /storybook/* upgrade requests), accepting that this also breaks legitimate playground use. Network-layer restriction (allowlist developer IPs only) is a secondary control with the side effect of breaking remote contributor access.

Share

EUVD-2026-31112 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy