PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground

Summary An unsafe HEEx template generation vulnerability allows any unauthenticated user to execute arbitrary code on the server. The phoenixstorybook playground accepts user-controlled attribute values over WebSocket and interpolates them unsanitized into a HEEx template that is subsequently...

GHSA-55HG-8QXV-QJ4P PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground

Summary An unsafe HEEx template generation vulnerability allows any unauthenticated user to execute arbitrary code on the server. The phoenixstorybook playground accepts user-controlled attribute values over WebSocket and interpolates them unsanitized into a HEEx template that is subsequently...

EUVD-2026-31112

PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenixstorybook playground...

CVE-2026-8467 Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground

Code Injection vulnerability in phenixdigital phoenixstorybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handleevent/3...

CVE-2026-8467

PHOENIX_STORYBOOK contains a code‑injection vulnerability (CVE-2026-8467) that allows unauthenticated remote code execution via HEEx template injection. An attacker can supply arbitrary attribute names/values to the psb-assign WebSocket handler; unescaped attribute values are interpolated into HE...

PT-2026-42179

Name of the Vulnerable Software and Affected Versions phoenix storybook versions 0.5.0 through 1.0.x Description Unauthenticated remote code execution is possible due to unsanitized attribute value interpolation during HEEx template generation. The psb-assign WebSocket event handler in the handle...