CVE-2026-8469 is a high-severity denial-of-service issue in phenixdigital phoenix_storybook. The flaw is caused by converting attacker-controlled LiveView event parameters into atoms without adequate validation, which can permanently consume BEAM atom table entries. Because atoms are not garbage-collected, repeated unique inputs can eventually exhaust the atom table and crash the BEAM node. The issue affe [truncated]
CVE-2026-8467 is a critical code injection issue in phoenix_storybook. According to the CVE record and linked advisory, unauthenticated clients can submit arbitrary attribute names and values through the psb-assign WebSocket event. Those values are later interpolated into a HEEx template without properly escaping quotes or expression delimiters, allowing attacker-controlled content to become executable El [truncated]
CVE-2026-47068 describes an authorization bypass in ph enixdigital phoenix_storybook where a user-controlled URL query parameter lets one iframe announce its PID on another session’s PubSub topic. In affected versions, that can cause a victim playground to direct subsequent control messages to the attacker’s iframe process instead of its own.
