Code Injection Vulnerability in Phoenix Storybook by Phenix Digital
CVE-2026-8467

9.5CRITICAL

Key Information:

Vendor: Phenixdigital
Status: Phoenix Storybook
Vendor: CVE Published:; 20 May 2026

🔔 Create Phenixdigital Vulnerability Alert

What is CVE-2026-8467?

A vulnerability exists in Phenix Digital's Phoenix Storybook that allows unauthenticated remote code execution due to unsanitized attribute value interpolation during HEEx template generation. The psb-assign WebSocket event handler permits arbitrary attribute names and values from unauthenticated clients. When these values are rendered, they are interpolated directly into a HEEx template string, posing a risk for an attacker to execute arbitrary code on the server by supplying a value with a closing quote followed by a HEEx expression block. This vulnerability affects versions from 0.5.0 before 1.1.0, highlighting the need for immediate awareness and patching.

Affected Version(s)

phoenix_storybook 0.5.0 < 1.1.0

phoenix_storybook e35379dfe2ef1a71b141899e36f431017c55265d < 56ab8464d4375fa52db806148a06cce126ad481d

References

https://github.com/phenixdigital/phoenix_storybook/securi...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-8467.html

https://osv.dev/vulnerability/EEF-CVE-2026-8467

CVSS V4

Score:

9.5

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 13, 2026

Credit

Nick Mykhailyshyn

Cenk Kücük

Christian Blavier

Jonatan Männchen

CVE-2026-8467 Data

JSON