{"id":"CVE-2026-8467","summary":"Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground","details":"Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.\n\nThe psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name=\"\u003cval\u003e\" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo\" injected={EXPR} bar=\"), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.\n\nThis issue affects phoenix_storybook from 0.5.0 before 1.1.0.","aliases":["EEF-CVE-2026-8467","GHSA-55hg-8qxv-qj4p"],"modified":"2026-07-08T08:13:52.185476497Z","published":"2026-05-20T13:35:29.018Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8467.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"e35379dfe2ef1a71b141899e36f431017c55265d"},{"fixed":"56ab8464d4375fa52db806148a06cce126ad481d"}]}],"cwe_ids":["CWE-94"],"cna_assigner":"EEF"},"references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-8467.html"},{"type":"WEB","url":"https://github.com"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2026-8467"},{"type":"WEB","url":"https://repo.hex.pm"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8467.json"},{"type":"ADVISORY","url":"https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8467"},{"type":"FIX","url":"https://github.com/phenixdigital/phoenix_storybook/commit/56ab8464d4375fa52db806148a06cce126ad481d"},{"type":"PACKAGE","url":"https://github.com/phenixdigital/phoenix_storybook"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phenixdigital/phoenix_storybook","events":[{"introduced":"8b33cef6989687b8724e028e9f91f7617fbe9844"},{"fixed":"685e23efc81afd9bc921d4afa984fff34c4b7e55"},{"fixed":"56ab8464d4375fa52db806148a06cce126ad481d"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0.5.0"},{"fixed":"1.1.0"}]}}],"versions":["v1.0.0","v0.9.3","v0.9.2","v0.9.1","v0.9.0","v0.8.3","v0.8.1","v0.7.2","v0.7.1","v0.7.0","v0.6.4","v0.6.3","v0.6.2","v0.6.1","v0.6.0","v0.5.7","v0.5.6","v0.5.5","v0.5.4","v0.5.3","v0.5.2","v0.5.1","v0.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8467.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}