Lucene search
K

30 matches found

EUVD
EUVD
added 2026/06/09 9:59 p.m.8 views

EUVD-2026-31111

PhoenixStorybook has cross-session PubSub topic injection via URL parameter...

2.3CVSS5.4AI score0.00449EPSS
Exploits0References5
OSV
OSV
added 2026/06/09 9:59 p.m.9 views

GHSA-MRHX-6PW9-Q5FH PhoenixStorybook has cross-session PubSub topic injection via URL parameter

Summary The storybook iframe LiveView accepts a PubSub topic from the URL query string and broadcasts its own pid onto that topic with no check that the topic belongs to the current session. Any unauthenticated visitor who knows or guesses another user's playground topic can hijack the...

2.3CVSS5.5AI score0.00449EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/09 9:59 p.m.10 views

EUVD-2026-31114

PhoenixStorybook: Unbounded atom creation from LiveView event params atom-table DoS...

8.2CVSS5.4AI score0.00537EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/09 9:59 p.m.13 views

PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS)

Summary An attacker who can deliver psb-assign, psb-toggle, psb-set-theme, upper-tab-navigation, lower-tab-navigation, playground-change, or playground-toggle LiveView events to a mounted Phoenix Storybook playground can flood the BEAM atom table with attacker-controlled strings, permanently...

8.2CVSS5.5AI score0.00537EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/06/09 9:58 p.m.8 views

GHSA-55HG-8QXV-QJ4P PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground

Summary An unsafe HEEx template generation vulnerability allows any unauthenticated user to execute arbitrary code on the server. The phoenixstorybook playground accepts user-controlled attribute values over WebSocket and interpolates them unsanitized into a HEEx template that is subsequently...

9.5CVSS6.8AI score0.00907EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/09 9:58 p.m.10 views

EUVD-2026-31112

PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenixstorybook playground...

9.5CVSS6.3AI score0.00907EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/09 9:58 p.m.23 views

PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground

Summary An unsafe HEEx template generation vulnerability allows any unauthenticated user to execute arbitrary code on the server. The phoenixstorybook playground accepts user-controlled attribute values over WebSocket and interpolates them unsanitized into a HEEx template that is subsequently...

9.5CVSS6.8AI score0.00907EPSS
Exploits0References6Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/21 7:57 p.m.6 views

CVE-2026-8469

Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenixstorybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.toatom/1 without...

8.2CVSS5.8AI score0.00537EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/21 7:57 p.m.10 views

CVE-2026-47068

Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...

2.3CVSS5.8AI score0.00449EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/21 7:57 p.m.11 views

CVE-2026-8467

Code Injection vulnerability in phenixdigital phoenixstorybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handleevent/3...

9.5CVSS6.6AI score0.00907EPSS
Exploits0References1
NVD
NVD
added 2026/05/20 2:17 p.m.17 views

CVE-2026-8469

Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenixstorybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.toatom/1 without...

8.2CVSS0.00537EPSS
Exploits0References4
NVD
NVD
added 2026/05/20 2:17 p.m.16 views

CVE-2026-8467

Code Injection vulnerability in phenixdigital phoenixstorybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handleevent/3...

9.5CVSS0.00907EPSS
Exploits0References4
NVD
NVD
added 2026/05/20 2:17 p.m.19 views

CVE-2026-47068

Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...

2.3CVSS0.00449EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/20 1:35 p.m.8 views

CVE-2026-47068 Cross-session PubSub topic injection via URL parameter in phoenix_storybook

Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...

2.3CVSS5.8AI score0.00449EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:35 p.m.13 views

CVE-2026-47068

Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...

2.3CVSS5.8AI score0.00449EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/05/20 1:35 p.m.44 views

CVE-2026-47068 Cross-session PubSub topic injection via URL parameter in phoenix_storybook

Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...

2.3CVSS0.00449EPSS
Exploits0References4
CVE
CVE
added 2026/05/20 1:35 p.m.27 views

CVE-2026-47068

The vulnerability is an Authorization Bypass in phoenix_storybook: Elixir.PhoenixStorybook.Story.ComponentIframeLive reads topic from params and broadcasts the iframe process PID on that PubSub topic without verifying session ownership, enabling cross-session topic injection. An attacker can load...

2.3CVSS5.8AI score0.00449EPSS
Exploits0References4
OSV
OSV
added 2026/05/20 1:35 p.m.6 views

EEF-CVE-2026-47068 Cross-session PubSub topic injection via URL parameter in phoenix_storybook

Summary Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in...

2.3CVSS5.8AI score0.00449EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:35 p.m.10 views

CVE-2026-8467

Code Injection vulnerability in phenixdigital phoenixstorybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handleevent/3...

9.5CVSS6.6AI score0.00907EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/05/20 1:35 p.m.39 views

CVE-2026-8467 Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground

Code Injection vulnerability in phenixdigital phoenixstorybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handleevent/3...

9.5CVSS0.00907EPSS
Exploits0References4
Rows per page
Query Builder