CVE-2026-8467 phenixdigital CVE debrief

Who should care

Teams running phoenix_storybook in development, staging, or any exposed environment should treat this as urgent. Security owners, Elixir/Phoenix maintainers, and operators who allow unauthenticated access to Storybook-style preview tooling should review exposure immediately, especially if the application accepts remote WebSocket traffic.

Technical summary

The issue chain described in the source is: unauthenticated psb-assign input reaches Story.PlaygroundPreviewLive.handle_event/3, then ExtraAssignsHelpers.handle_set_variation_assign/3 stores attacker-provided attribute data verbatim, and ComponentRenderer.attributes_markup/1 later places binary attribute values directly into a HEEx string as name="<val>". Because double quotes and HEEx expression delimiters are not escaped, a crafted value can break out of the attribute context and inject inline Elixir that is compiled with EEx.compile_string/2 and executed with Code.eval_quoted_with_env/3 under full Kernel imports. The CVE is mapped to CWE-94 in the source material.

Defensive priority

Critical. This is a network-reachable unauthenticated code injection path with potential for server-side arbitrary code execution, so it warrants immediate patching or service isolation before routine maintenance.

Recommended defensive actions

• Upgrade phoenix_storybook to version 1.1.0 or later, as referenced by the advisory scope.
• If immediate upgrade is not possible, restrict access to the Storybook preview and WebSocket endpoints to trusted users or internal networks only.
• Audit the psb-assign flow and any similar template-generation paths for unsafe interpolation of user-controlled values.
• Verify that attribute rendering escapes quotes and HEEx delimiters before template compilation.
• Review the linked upstream advisory and commit for the exact fix applied in 1.1.0 and confirm it is present in your deployed version.
• Monitor for unexpected server-side code execution indicators in any environment where phoenix_storybook was exposed unauthenticated.

Evidence notes

This debrief is based only on the supplied CVE record and linked official references. The CVE publishedAt and modifiedAt timestamps are 2026-05-20T14:17:04.283Z and 2026-05-20T14:23:14.993Z, respectively. The NVD source item marks the vulnerability status as Deferred and points to the Erlef CNA record, the upstream GitHub commit, the GitHub Security Advisory, and OSV. The source description explicitly states the affected range as phoenix_storybook 0.5.0 before 1.1.0 and describes unauthenticated remote code execution via unsanitized attribute value interpolation.

Official resources