{"id":"EEF-CVE-2026-8467","summary":"Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground","details":"## Summary\n\nCode Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.\n\nThe psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name=\"\u003cval\u003e\" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo\" injected={EXPR} bar=\"), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.\n\nThis issue affects phoenix_storybook from 0.5.0 before 1.1.0.","aliases":["CVE-2026-8467","GHSA-55hg-8qxv-qj4p"],"modified":"2026-05-20T13:56:23.273071966Z","published":"2026-05-20T13:35:29.018Z","database_specific":{"cpe_ids":["cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"],"capec_ids":["CAPEC-242"],"cwe_ids":["CWE-94"]},"references":[{"type":"ADVISORY","url":"https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-8467.html"},{"type":"FIX","url":"https://github.com/phenixdigital/phoenix_storybook/commit/56ab8464d4375fa52db806148a06cce126ad481d"},{"type":"PACKAGE","url":"https://hex.pm/packages/phoenix_storybook"}],"affected":[{"package":{"name":"phoenix_storybook","ecosystem":"Hex","purl":"pkg:hex/phoenix_storybook"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.5.0"},{"fixed":"1.1.0"}]}],"versions":["0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.6.0","0.6.1","0.6.2","0.6.3","0.6.4","0.7.0","0.7.1","0.7.2","0.8.0","0.8.1","0.8.2","0.8.3","0.9.0","0.9.1","0.9.2","0.9.3","1.0.0"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-8467.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/phenixdigital/phoenix_storybook","events":[{"introduced":"e35379dfe2ef1a71b141899e36f431017c55265d"},{"fixed":"56ab8464d4375fa52db806148a06cce126ad481d"}]}],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-8467.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}],"credits":[{"name":"Nick Mykhailyshyn","type":"FINDER"},{"name":"Cenk Kücük","type":"ANALYST"},{"name":"Christian Blavier","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen","type":"COORDINATOR"}]}