DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-8467: CVE-2026-8467: Unauthenticated Remote Code Execution in phoenix_storybook

#security #cve #cybersecurity

CVE-2026-8467: Unauthenticated Remote Code Execution in phoenix_storybook

Vulnerability ID: CVE-2026-8467
CVSS Score: 9.5
Published: 2026-06-09

An unauthenticated remote code execution (RCE) vulnerability exists in phoenix_storybook versions 0.5.0 through 1.0.x due to improper input sanitization during HEEx template generation. By sending crafted WebSocket messages, an attacker can escape HTML attribute boundaries and execute arbitrary Elixir code.

TL;DR

Improper sanitization of component attributes in the phoenix_storybook playground allows remote attackers to inject arbitrary Elixir expressions into HEEx templates, resulting in unauthenticated remote code execution.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94
  • Attack Vector: Network (AV:N)
  • CVSS Score: 9.5 (Critical)
  • Exploit Status: Proof-of-Concept Available
  • KEV Status: Not Listed
  • Impact: Unauthenticated Remote Code Execution

Affected Systems

  • phoenix_storybook (Elixir Package)
  • phoenix_storybook: >= 0.5.0, < 1.1.0 (Fixed in: 1.1.0)

Code Analysis

Commit: 56ab846

Secure template generation by passing attributes via safe template assigns instead of interpolating binary strings, and restrict attribute names with regex.

Exploit Details

  • GitHub Security Advisory: Discloses the vulnerability mechanics and lists regression test cases used to demonstrate the exploit.

Mitigation Strategies

  • Upgrade phoenix_storybook to version 1.1.0 or higher
  • Restrict Storybook route definition to :dev environments in mix.exs and router.ex
  • Apply network level IP whitelisting to the storybook endpoints

Remediation Steps:

  1. Open mix.exs and locate the phoenix_storybook dependency definition.
  2. Change the version constraint to '~> 1.1.0'.
  3. Run 'mix deps.get' and 'mix deps.compile phoenix_storybook' to fetch and compile the patched package.
  4. Verify that the build completes successfully and execute all regression tests using 'mix test'.

References

Read the full report for CVE-2026-8467 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)