19 matches found
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Summary An unsafe HEEx template generation vulnerability allows any unauthenticated user to execute arbitrary code on the server. The phoenixstorybook playground accepts user-controlled attribute values over WebSocket and interpolates them unsanitized into a HEEx template that is subsequently...
EUVD-2026-31112
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenixstorybook playground...
GHSA-55HG-8QXV-QJ4P PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Summary An unsafe HEEx template generation vulnerability allows any unauthenticated user to execute arbitrary code on the server. The phoenixstorybook playground accepts user-controlled attribute values over WebSocket and interpolates them unsanitized into a HEEx template that is subsequently...
CVE-2026-8467
Code Injection vulnerability in phenixdigital phoenixstorybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handleevent/3...
CVE-2026-8467 Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Code Injection vulnerability in phenixdigital phoenixstorybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handleevent/3...
CVE-2026-8467
PHOENIX_STORYBOOK contains a code‑injection vulnerability (CVE-2026-8467) that allows unauthenticated remote code execution via HEEx template injection. An attacker can supply arbitrary attribute names/values to the psb-assign WebSocket handler; unescaped attribute values are interpolated into HE...
PhoenixStorybook 代码注入漏洞
PhoenixStorybook is an open-source component display and interaction debugging UI tool developed by Phenix Digital. Versions of PhoenixStorybook from 0.5.0 to 1.1.0 had a code injection vulnerability. This vulnerability stemmed from uncleaned attribute value interpolation, which led to code...
PT-2026-42179
Name of the Vulnerable Software and Affected Versions phoenix storybook versions 0.5.0 through 1.0.x Description Unauthenticated remote code execution is possible due to unsanitized attribute value interpolation during HEEx template generation. The psb-assign WebSocket event handler in the handle...
EUVD-2023-0339
Malicious code in bioql PyPI...
Cross-site Scripting (XSS)
phoenixhtml is vulnerable to Cross-Site Scripting XSS attacks. The library does not properly escape the special characters before it outputs to the front end, allowing an attacker to inject and execute malicious JavaScript via HEEx class attributes in tag.ex...
phoenix_html allows Cross-site Scripting in HEEx class attributes
tag.ex in Phoenix Phoenix.HTML aka phoenixhtml before 3.0.4 allows XSS in HEEx class attributes...
GHSA-5G2H-9X5V-5H3X phoenix_html allows Cross-site Scripting in HEEx class attributes
tag.ex in Phoenix Phoenix.HTML aka phoenixhtml before 3.0.4 allows XSS in HEEx class attributes...
CVE-2021-46871
tag.ex in Phoenix Phoenix.HTML aka phoenixhtml before 3.0.4 allows XSS in HEEx class attributes...
CVE-2021-46871
tag.ex in Phoenix Phoenix.HTML aka phoenixhtml before 3.0.4 allows XSS in HEEx class attributes...
Design/Logic Flaw
tag.ex in Phoenix Phoenix.HTML aka phoenixhtml before 3.0.4 allows XSS in HEEx class attributes...
CVE-2021-46871
tag.ex in Phoenix Phoenix.HTML aka phoenixhtml before 3.0.4 allows XSS in HEEx class attributes...
GHSA-J3GG-R6GP-95Q2 XSS in HEEx class attributes
The class attribute was not protected against XSS attacks when using HEEx...
XSS in HEEx class attributes
The class attribute was not protected against XSS attacks when using HEEx...
PT-2022-12947 · Phoenix · Phoenix.Html
Name of the Vulnerable Software and Affected Versions: Phoenix Phoenix.HTML aka phoenix html versions prior to 3.0.4 Description: The issue allows XSS in HEEx class attributes. The class attribute was not protected against XSS attacks when using HEEx. Recommendations: For versions prior to 3.0.4,...