Search criteria
3 vulnerabilities by phenixdigital
CVE-2026-47068 (GCVE-0-2026-47068)
Vulnerability from cvelistv5 – Published: 2026-05-20 13:35 – Updated: 2026-05-22 04:38
VLAI
Title
Cross-session PubSub topic injection via URL parameter in phoenix_storybook
Summary
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.
'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process.
This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/phenixdigital/phoenix_storyboo… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47068.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47068 | related |
| https://github.com/phenixdigital/phoenix_storyboo… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| phenixdigital | phoenix_storybook |
Affected:
0.4.0 , < 1.1.0
(semver)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
|
| phenixdigital | phoenix_storybook |
Affected:
8c2c97b0f505780fee4069988bf86736f51d35d7 , < 6ee03f1c738d4436dde1b066cf65c80663d489f5
(git)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47068",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:59:23.206364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:59:48.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027"
],
"packageName": "phoenix_storybook",
"packageURL": "pkg:hex/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/live/story/component_iframe_live.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0.4.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027"
],
"packageName": "phenixdigital/phoenix_storybook",
"packageURL": "pkg:github/phenixdigital/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/live/story/component_iframe_live.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "6ee03f1c738d4436dde1b066cf65c80663d489f5",
"status": "affected",
"version": "8c2c97b0f505780fee4069988bf86736f51d35d7",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.1.0",
"versionStartIncluding": "0.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian Blavier"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3\u003c/tt\u003e in \u003ctt\u003elib/phoenix_storybook/live/story/component_iframe_live.ex\u003c/tt\u003e reads a PubSub topic directly from \u003ctt\u003eparams[\"topic\"]\u003c/tt\u003e and broadcasts \u003ctt\u003e{:component_iframe_pid, self()}\u003c/tt\u003e on it with no check that the topic belongs to the requesting session. The shared \u003ctt\u003ePhoenixStorybook.PubSub\u003c/tt\u003e is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via \u003ctt\u003esend/2\u003c/tt\u003e. Because the iframe trusts the query parameter, an attacker who loads \u003ctt\u003e/storybook/iframe/\u0026lt;story\u0026gt;?topic=\u0026lt;victim_topic\u0026gt;\u003c/tt\u003e causes their iframe process pid to be announced on the victim\u0027s topic. The victim\u0027s playground then addresses its private messages to the attacker\u0027s iframe process.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.4.0 before 1.1.0.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.\n\n\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params[\"topic\"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/\u003cstory\u003e?topic=\u003cvictim_topic\u003e causes their iframe process pid to be announced on the victim\u0027s topic. The victim\u0027s playground then addresses its private messages to the attacker\u0027s iframe process.\n\nThis issue affects phoenix_storybook from 0.4.0 before 1.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-12",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-12 Choosing Message Identifier"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T04:38:28.149Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47068.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47068"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-session PubSub topic injection via URL parameter in phoenix_storybook",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47068",
"datePublished": "2026-05-20T13:35:33.215Z",
"dateReserved": "2026-05-18T17:28:08.321Z",
"dateUpdated": "2026-05-22T04:38:28.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8467 (GCVE-0-2026-8467)
Vulnerability from cvelistv5 – Published: 2026-05-20 13:35 – Updated: 2026-05-22 04:38
VLAI
Title
Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Summary
Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.
The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.
This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
Severity
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/phenixdigital/phoenix_storyboo… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-8467.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-8467 | related |
| https://github.com/phenixdigital/phoenix_storyboo… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| phenixdigital | phoenix_storybook |
Affected:
0.5.0 , < 1.1.0
(semver)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
|
| phenixdigital | phoenix_storybook |
Affected:
e35379dfe2ef1a71b141899e36f431017c55265d , < 56ab8464d4375fa52db806148a06cce126ad481d
(git)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8467",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:57:52.803277Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:58:36.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.PhoenixStorybook.Rendering.ComponentRenderer",
"Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive",
"Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers"
],
"packageName": "phoenix_storybook",
"packageURL": "pkg:hex/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/rendering/component_renderer.ex",
"lib/phoenix_storybook/live/story/playground_preview_live.ex",
"lib/phoenix_storybook/helpers/extra_assigns_helpers.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1"
},
{
"name": "\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0.5.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.PhoenixStorybook.Rendering.ComponentRenderer",
"Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive",
"Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers"
],
"packageName": "phenixdigital/phoenix_storybook",
"packageURL": "pkg:github/phenixdigital/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/rendering/component_renderer.ex",
"lib/phoenix_storybook/live/story/playground_preview_live.ex",
"lib/phoenix_storybook/helpers/extra_assigns_helpers.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1"
},
{
"name": "\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "56ab8464d4375fa52db806148a06cce126ad481d",
"status": "affected",
"version": "e35379dfe2ef1a71b141899e36f431017c55265d",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.1.0",
"versionStartIncluding": "0.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nick Mykhailyshyn"
},
{
"lang": "en",
"type": "analyst",
"value": "Cenk K\u00fcc\u00fck"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian Blavier"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCode Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003epsb-assign\u003c/tt\u003e WebSocket event handler in \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3\u003c/tt\u003e accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3\u003c/tt\u003e, which stores them verbatim. When rendering, \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1\u003c/tt\u003e interpolates binary attribute values directly into a HEEx template string as \u003ctt\u003ename=\"\u0026lt;val\u0026gt;\"\u003c/tt\u003e without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. \u003ctt\u003efoo\" injected={EXPR} bar=\"\u003c/tt\u003e), which causes \u003ctt\u003eEXPR\u003c/tt\u003e to be treated as an inline Elixir expression. The resulting template is compiled via \u003ctt\u003eEEx.compile_string/2\u003c/tt\u003e and executed via \u003ctt\u003eCode.eval_quoted_with_env/3\u003c/tt\u003e with full \u003ctt\u003eKernel\u003c/tt\u003e imports and no sandbox, giving the attacker arbitrary code execution on the server.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.5.0 before 1.1.0.\u003c/p\u003e"
}
],
"value": "Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.\n\nThe psb-assign WebSocket event handler in \u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to \u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3, which stores them verbatim. When rendering, \u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name=\"\u003cval\u003e\" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo\" injected={EXPR} bar=\"), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.\n\nThis issue affects phoenix_storybook from 0.5.0 before 1.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T04:38:10.372Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-8467.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-8467"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/commit/56ab8464d4375fa52db806148a06cce126ad481d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-8467",
"datePublished": "2026-05-20T13:35:29.018Z",
"dateReserved": "2026-05-13T11:44:40.790Z",
"dateUpdated": "2026-05-22T04:38:10.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8469 (GCVE-0-2026-8469)
Vulnerability from cvelistv5 – Published: 2026-05-20 13:35 – Updated: 2026-05-22 04:38
VLAI
Title
Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook
Summary
Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.
Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of "variation_id"; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.
This issue affects phoenix_storybook from 0.2.0 before 1.1.0.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/phenixdigital/phoenix_storyboo… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-8469.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-8469 | related |
| https://github.com/phenixdigital/phoenix_storyboo… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| phenixdigital | phoenix_storybook |
Affected:
0.2.0 , < 1.1.0
(semver)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
|
| phenixdigital | phoenix_storybook |
Affected:
0228669d55c23a754d1ef11f49a32121129d5395 , < 96d524690af0fe197a49f60d18e564a620b9ef81
(git)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8469",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:55:42.783019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:56:33.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.PhoenixStorybook.ExtraAssignsHelpers",
"Elixir.PhoenixStorybook.Story.Playground"
],
"packageName": "phoenix_storybook",
"packageURL": "pkg:hex/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/helpers/extra_assigns_helpers.ex",
"lib/phx_live_storybook/live/entry_live.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.PhoenixStorybook.ExtraAssignsHelpers",
"Elixir.PhoenixStorybook.Story.Playground"
],
"packageName": "phenixdigital/phoenix_storybook",
"packageURL": "pkg:github/phenixdigital/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/helpers/extra_assigns_helpers.ex",
"lib/phx_live_storybook/live/entry_live.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "96d524690af0fe197a49f60d18e564a620b9ef81",
"status": "affected",
"version": "0228669d55c23a754d1ef11f49a32121129d5395",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Phoenix Storybook must be mounted on a network-reachable route."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.1.0",
"versionStartIncluding": "0.2.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian Blavier"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.\u003c/p\u003e\u003cp\u003eMultiple LiveView event handlers convert user-supplied event parameter strings to atoms using \u003ctt\u003eString.to_atom/1\u003c/tt\u003e without validation: \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3\u003c/tt\u003e interns every key of the \u003ctt\u003epsb-assign\u003c/tt\u003e params map; \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3\u003c/tt\u003e interns the \u003ctt\u003e\"attr\"\u003c/tt\u003e value from \u003ctt\u003epsb-toggle\u003c/tt\u003e events; \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2\u003c/tt\u003e interns elements of \u003ctt\u003e\"variation_id\"\u003c/tt\u003e; and \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4\u003c/tt\u003e interns raw string values for attributes declared as \u003ctt\u003e:atom\u003c/tt\u003e or \u003ctt\u003e:boolean\u003c/tt\u003e. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.2.0 before 1.1.0.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.\n\nMultiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3 interns every key of the psb-assign params map; \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3 interns the \"attr\" value from psb-toggle events; \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2 interns elements of \"variation_id\"; and \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.\n\nThis issue affects phoenix_storybook from 0.2.0 before 1.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T04:38:05.472Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-8469.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-8469"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/commit/96d524690af0fe197a49f60d18e564a620b9ef81"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-8469",
"datePublished": "2026-05-20T13:35:27.914Z",
"dateReserved": "2026-05-13T11:44:43.316Z",
"dateUpdated": "2026-05-22T04:38:05.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}