2 matches found
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Summary An unsafe HEEx template generation vulnerability allows any unauthenticated user to execute arbitrary code on the server. The phoenixstorybook playground accepts user-controlled attribute values over WebSocket and interpolates them unsanitized into a HEEx template that is subsequently...
CVE-2026-8467
PHOENIX_STORYBOOK contains a code‑injection vulnerability (CVE-2026-8467) that allows unauthenticated remote code execution via HEEx template injection. An attacker can supply arbitrary attribute names/values to the psb-assign WebSocket handler; unescaped attribute values are interpolated into HE...