Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    6 vulnerabilities by phenixdigital

    CVE-2026-8469 (GCVE-0-2026-8469)

    Vulnerability from nvd – Published: 2026-05-20 13:35 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook
    Summary
    Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of "variation_id"; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it. This issue affects phoenix_storybook from 0.2.0 before 1.1.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    phenixdigital phoenix_storybook Affected: 0.2.0 , < 1.1.0 (semver)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    phenixdigital phoenix_storybook Affected: 0228669d55c23a754d1ef11f49a32121129d5395 , < 96d524690af0fe197a49f60d18e564a620b9ef81 (git)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Christian Blavier Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8469",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T13:55:42.783019Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T13:56:33.631Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.PhoenixStorybook.ExtraAssignsHelpers",
                "Elixir.PhoenixStorybook.Story.Playground"
              ],
              "packageName": "phoenix_storybook",
              "packageURL": "pkg:hex/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/helpers/extra_assigns_helpers.ex",
                "lib/phx_live_storybook/live/entry_live.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "1.1.0",
                  "status": "affected",
                  "version": "0.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.PhoenixStorybook.ExtraAssignsHelpers",
                "Elixir.PhoenixStorybook.Story.Playground"
              ],
              "packageName": "phenixdigital/phoenix_storybook",
              "packageURL": "pkg:github/phenixdigital/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/helpers/extra_assigns_helpers.ex",
                "lib/phx_live_storybook/live/entry_live.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "96d524690af0fe197a49f60d18e564a620b9ef81",
                  "status": "affected",
                  "version": "0228669d55c23a754d1ef11f49a32121129d5395",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "Phoenix Storybook must be mounted on a network-reachable route."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.1.0",
                      "versionStartIncluding": "0.2.0",
                      "vulnerable": true
                    }
                  ],
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Christian Blavier"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.\u003c/p\u003e\u003cp\u003eMultiple LiveView event handlers convert user-supplied event parameter strings to atoms using \u003ctt\u003eString.to_atom/1\u003c/tt\u003e without validation: \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3\u003c/tt\u003e interns every key of the \u003ctt\u003epsb-assign\u003c/tt\u003e params map; \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3\u003c/tt\u003e interns the \u003ctt\u003e\"attr\"\u003c/tt\u003e value from \u003ctt\u003epsb-toggle\u003c/tt\u003e events; \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2\u003c/tt\u003e interns elements of \u003ctt\u003e\"variation_id\"\u003c/tt\u003e; and \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4\u003c/tt\u003e interns raw string values for attributes declared as \u003ctt\u003e:atom\u003c/tt\u003e or \u003ctt\u003e:boolean\u003c/tt\u003e. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.2.0 before 1.1.0.\u003c/p\u003e"
                }
              ],
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.\n\nMultiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3 interns every key of the psb-assign params map; \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3 interns the \"attr\" value from psb-toggle events; \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2 interns elements of \"variation_id\"; and \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.\n\nThis issue affects phoenix_storybook from 0.2.0 before 1.1.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:55.927Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-8469.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-8469"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/commit/96d524690af0fe197a49f60d18e564a620b9ef81"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-8469",
        "datePublished": "2026-05-20T13:35:27.914Z",
        "dateReserved": "2026-05-13T11:44:43.316Z",
        "dateUpdated": "2026-05-27T15:40:55.927Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8467 (GCVE-0-2026-8467)

    Vulnerability from nvd – Published: 2026-05-20 13:35 – Updated: 2026-05-27 15:41
    VLAI
    Title
    Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
    Summary
    Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server. This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    phenixdigital phoenix_storybook Affected: 0.5.0 , < 1.1.0 (semver)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    phenixdigital phoenix_storybook Affected: e35379dfe2ef1a71b141899e36f431017c55265d , < 56ab8464d4375fa52db806148a06cce126ad481d (git)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Nick Mykhailyshyn Cenk Kücük Christian Blavier Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8467",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T13:57:52.803277Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T13:58:36.035Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.PhoenixStorybook.Rendering.ComponentRenderer",
                "Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive",
                "Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers"
              ],
              "packageName": "phoenix_storybook",
              "packageURL": "pkg:hex/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/rendering/component_renderer.ex",
                "lib/phoenix_storybook/live/story/playground_preview_live.ex",
                "lib/phoenix_storybook/helpers/extra_assigns_helpers.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "1.1.0",
                  "status": "affected",
                  "version": "0.5.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.PhoenixStorybook.Rendering.ComponentRenderer",
                "Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive",
                "Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers"
              ],
              "packageName": "phenixdigital/phoenix_storybook",
              "packageURL": "pkg:github/phenixdigital/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/rendering/component_renderer.ex",
                "lib/phoenix_storybook/live/story/playground_preview_live.ex",
                "lib/phoenix_storybook/helpers/extra_assigns_helpers.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "56ab8464d4375fa52db806148a06cce126ad481d",
                  "status": "affected",
                  "version": "e35379dfe2ef1a71b141899e36f431017c55265d",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.1.0",
                      "versionStartIncluding": "0.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nick Mykhailyshyn"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Cenk K\u00fcc\u00fck"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Christian Blavier"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eCode Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003epsb-assign\u003c/tt\u003e WebSocket event handler in \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3\u003c/tt\u003e accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3\u003c/tt\u003e, which stores them verbatim. When rendering, \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1\u003c/tt\u003e interpolates binary attribute values directly into a HEEx template string as \u003ctt\u003ename=\"\u0026lt;val\u0026gt;\"\u003c/tt\u003e without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. \u003ctt\u003efoo\" injected={EXPR} bar=\"\u003c/tt\u003e), which causes \u003ctt\u003eEXPR\u003c/tt\u003e to be treated as an inline Elixir expression. The resulting template is compiled via \u003ctt\u003eEEx.compile_string/2\u003c/tt\u003e and executed via \u003ctt\u003eCode.eval_quoted_with_env/3\u003c/tt\u003e with full \u003ctt\u003eKernel\u003c/tt\u003e imports and no sandbox, giving the attacker arbitrary code execution on the server.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.5.0 before 1.1.0.\u003c/p\u003e"
                }
              ],
              "value": "Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.\n\nThe psb-assign WebSocket event handler in \u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to \u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3, which stores them verbatim. When rendering, \u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name=\"\u003cval\u003e\" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo\" injected={EXPR} bar=\"), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.\n\nThis issue affects phoenix_storybook from 0.5.0 before 1.1.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:41:02.357Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-8467.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-8467"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/commit/56ab8464d4375fa52db806148a06cce126ad481d"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-8467",
        "datePublished": "2026-05-20T13:35:29.018Z",
        "dateReserved": "2026-05-13T11:44:40.790Z",
        "dateUpdated": "2026-05-27T15:41:02.357Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47068 (GCVE-0-2026-47068)

    Vulnerability from nvd – Published: 2026-05-20 13:35 – Updated: 2026-05-27 15:41
    VLAI
    Title
    Cross-session PubSub topic injection via URL parameter in phoenix_storybook
    Summary
    Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process. This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    phenixdigital phoenix_storybook Affected: 0.4.0 , < 1.1.0 (semver)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    phenixdigital phoenix_storybook Affected: 8c2c97b0f505780fee4069988bf86736f51d35d7 , < 6ee03f1c738d4436dde1b066cf65c80663d489f5 (git)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Christian Blavier Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47068",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T13:59:23.206364Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T13:59:48.062Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027"
              ],
              "packageName": "phoenix_storybook",
              "packageURL": "pkg:hex/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/live/story/component_iframe_live.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "1.1.0",
                  "status": "affected",
                  "version": "0.4.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027"
              ],
              "packageName": "phenixdigital/phoenix_storybook",
              "packageURL": "pkg:github/phenixdigital/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/live/story/component_iframe_live.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "6ee03f1c738d4436dde1b066cf65c80663d489f5",
                  "status": "affected",
                  "version": "8c2c97b0f505780fee4069988bf86736f51d35d7",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.1.0",
                      "versionStartIncluding": "0.4.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Christian Blavier"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3\u003c/tt\u003e in \u003ctt\u003elib/phoenix_storybook/live/story/component_iframe_live.ex\u003c/tt\u003e reads a PubSub topic directly from \u003ctt\u003eparams[\"topic\"]\u003c/tt\u003e and broadcasts \u003ctt\u003e{:component_iframe_pid, self()}\u003c/tt\u003e on it with no check that the topic belongs to the requesting session. The shared \u003ctt\u003ePhoenixStorybook.PubSub\u003c/tt\u003e is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via \u003ctt\u003esend/2\u003c/tt\u003e. Because the iframe trusts the query parameter, an attacker who loads \u003ctt\u003e/storybook/iframe/\u0026lt;story\u0026gt;?topic=\u0026lt;victim_topic\u0026gt;\u003c/tt\u003e causes their iframe process pid to be announced on the victim\u0027s topic. The victim\u0027s playground then addresses its private messages to the attacker\u0027s iframe process.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.4.0 before 1.1.0.\u003c/p\u003e"
                }
              ],
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.\n\n\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params[\"topic\"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/\u003cstory\u003e?topic=\u003cvictim_topic\u003e causes their iframe process pid to be announced on the victim\u0027s topic. The victim\u0027s playground then addresses its private messages to the attacker\u0027s iframe process.\n\nThis issue affects phoenix_storybook from 0.4.0 before 1.1.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-12",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-12 Choosing Message Identifier"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:41:37.339Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-47068.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-47068"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Cross-session PubSub topic injection via URL parameter in phoenix_storybook",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-47068",
        "datePublished": "2026-05-20T13:35:33.215Z",
        "dateReserved": "2026-05-18T17:28:08.321Z",
        "dateUpdated": "2026-05-27T15:41:37.339Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-47068 (GCVE-0-2026-47068)

    Vulnerability from cvelistv5 – Published: 2026-05-20 13:35 – Updated: 2026-05-27 15:41
    VLAI
    Title
    Cross-session PubSub topic injection via URL parameter in phoenix_storybook
    Summary
    Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process. This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    phenixdigital phoenix_storybook Affected: 0.4.0 , < 1.1.0 (semver)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    phenixdigital phoenix_storybook Affected: 8c2c97b0f505780fee4069988bf86736f51d35d7 , < 6ee03f1c738d4436dde1b066cf65c80663d489f5 (git)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Christian Blavier Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-47068",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T13:59:23.206364Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T13:59:48.062Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027"
              ],
              "packageName": "phoenix_storybook",
              "packageURL": "pkg:hex/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/live/story/component_iframe_live.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "1.1.0",
                  "status": "affected",
                  "version": "0.4.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027"
              ],
              "packageName": "phenixdigital/phoenix_storybook",
              "packageURL": "pkg:github/phenixdigital/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/live/story/component_iframe_live.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "6ee03f1c738d4436dde1b066cf65c80663d489f5",
                  "status": "affected",
                  "version": "8c2c97b0f505780fee4069988bf86736f51d35d7",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.1.0",
                      "versionStartIncluding": "0.4.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Christian Blavier"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3\u003c/tt\u003e in \u003ctt\u003elib/phoenix_storybook/live/story/component_iframe_live.ex\u003c/tt\u003e reads a PubSub topic directly from \u003ctt\u003eparams[\"topic\"]\u003c/tt\u003e and broadcasts \u003ctt\u003e{:component_iframe_pid, self()}\u003c/tt\u003e on it with no check that the topic belongs to the requesting session. The shared \u003ctt\u003ePhoenixStorybook.PubSub\u003c/tt\u003e is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via \u003ctt\u003esend/2\u003c/tt\u003e. Because the iframe trusts the query parameter, an attacker who loads \u003ctt\u003e/storybook/iframe/\u0026lt;story\u0026gt;?topic=\u0026lt;victim_topic\u0026gt;\u003c/tt\u003e causes their iframe process pid to be announced on the victim\u0027s topic. The victim\u0027s playground then addresses its private messages to the attacker\u0027s iframe process.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.4.0 before 1.1.0.\u003c/p\u003e"
                }
              ],
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.\n\n\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params[\"topic\"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/\u003cstory\u003e?topic=\u003cvictim_topic\u003e causes their iframe process pid to be announced on the victim\u0027s topic. The victim\u0027s playground then addresses its private messages to the attacker\u0027s iframe process.\n\nThis issue affects phoenix_storybook from 0.4.0 before 1.1.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-12",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-12 Choosing Message Identifier"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:41:37.339Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-47068.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-47068"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Cross-session PubSub topic injection via URL parameter in phoenix_storybook",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-47068",
        "datePublished": "2026-05-20T13:35:33.215Z",
        "dateReserved": "2026-05-18T17:28:08.321Z",
        "dateUpdated": "2026-05-27T15:41:37.339Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8467 (GCVE-0-2026-8467)

    Vulnerability from cvelistv5 – Published: 2026-05-20 13:35 – Updated: 2026-05-27 15:41
    VLAI
    Title
    Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
    Summary
    Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server. This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    phenixdigital phoenix_storybook Affected: 0.5.0 , < 1.1.0 (semver)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    phenixdigital phoenix_storybook Affected: e35379dfe2ef1a71b141899e36f431017c55265d , < 56ab8464d4375fa52db806148a06cce126ad481d (git)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Nick Mykhailyshyn Cenk Kücük Christian Blavier Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8467",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T13:57:52.803277Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T13:58:36.035Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.PhoenixStorybook.Rendering.ComponentRenderer",
                "Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive",
                "Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers"
              ],
              "packageName": "phoenix_storybook",
              "packageURL": "pkg:hex/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/rendering/component_renderer.ex",
                "lib/phoenix_storybook/live/story/playground_preview_live.ex",
                "lib/phoenix_storybook/helpers/extra_assigns_helpers.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "1.1.0",
                  "status": "affected",
                  "version": "0.5.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.PhoenixStorybook.Rendering.ComponentRenderer",
                "Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive",
                "Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers"
              ],
              "packageName": "phenixdigital/phoenix_storybook",
              "packageURL": "pkg:github/phenixdigital/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/rendering/component_renderer.ex",
                "lib/phoenix_storybook/live/story/playground_preview_live.ex",
                "lib/phoenix_storybook/helpers/extra_assigns_helpers.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "56ab8464d4375fa52db806148a06cce126ad481d",
                  "status": "affected",
                  "version": "e35379dfe2ef1a71b141899e36f431017c55265d",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.1.0",
                      "versionStartIncluding": "0.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nick Mykhailyshyn"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Cenk K\u00fcc\u00fck"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Christian Blavier"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eCode Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003epsb-assign\u003c/tt\u003e WebSocket event handler in \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3\u003c/tt\u003e accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3\u003c/tt\u003e, which stores them verbatim. When rendering, \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1\u003c/tt\u003e interpolates binary attribute values directly into a HEEx template string as \u003ctt\u003ename=\"\u0026lt;val\u0026gt;\"\u003c/tt\u003e without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. \u003ctt\u003efoo\" injected={EXPR} bar=\"\u003c/tt\u003e), which causes \u003ctt\u003eEXPR\u003c/tt\u003e to be treated as an inline Elixir expression. The resulting template is compiled via \u003ctt\u003eEEx.compile_string/2\u003c/tt\u003e and executed via \u003ctt\u003eCode.eval_quoted_with_env/3\u003c/tt\u003e with full \u003ctt\u003eKernel\u003c/tt\u003e imports and no sandbox, giving the attacker arbitrary code execution on the server.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.5.0 before 1.1.0.\u003c/p\u003e"
                }
              ],
              "value": "Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.\n\nThe psb-assign WebSocket event handler in \u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to \u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3, which stores them verbatim. When rendering, \u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name=\"\u003cval\u003e\" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo\" injected={EXPR} bar=\"), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.\n\nThis issue affects phoenix_storybook from 0.5.0 before 1.1.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:41:02.357Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-8467.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-8467"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/commit/56ab8464d4375fa52db806148a06cce126ad481d"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-8467",
        "datePublished": "2026-05-20T13:35:29.018Z",
        "dateReserved": "2026-05-13T11:44:40.790Z",
        "dateUpdated": "2026-05-27T15:41:02.357Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8469 (GCVE-0-2026-8469)

    Vulnerability from cvelistv5 – Published: 2026-05-20 13:35 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook
    Summary
    Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of "variation_id"; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it. This issue affects phoenix_storybook from 0.2.0 before 1.1.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    phenixdigital phoenix_storybook Affected: 0.2.0 , < 1.1.0 (semver)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    phenixdigital phoenix_storybook Affected: 0228669d55c23a754d1ef11f49a32121129d5395 , < 96d524690af0fe197a49f60d18e564a620b9ef81 (git)
        cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Christian Blavier Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8469",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T13:55:42.783019Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T13:56:33.631Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.PhoenixStorybook.ExtraAssignsHelpers",
                "Elixir.PhoenixStorybook.Story.Playground"
              ],
              "packageName": "phoenix_storybook",
              "packageURL": "pkg:hex/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/helpers/extra_assigns_helpers.ex",
                "lib/phx_live_storybook/live/entry_live.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "1.1.0",
                  "status": "affected",
                  "version": "0.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.PhoenixStorybook.ExtraAssignsHelpers",
                "Elixir.PhoenixStorybook.Story.Playground"
              ],
              "packageName": "phenixdigital/phoenix_storybook",
              "packageURL": "pkg:github/phenixdigital/phoenix_storybook",
              "product": "phoenix_storybook",
              "programFiles": [
                "lib/phoenix_storybook/helpers/extra_assigns_helpers.ex",
                "lib/phx_live_storybook/live/entry_live.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2"
                },
                {
                  "name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4"
                }
              ],
              "repo": "https://github.com/phenixdigital/phoenix_storybook",
              "vendor": "phenixdigital",
              "versions": [
                {
                  "lessThan": "96d524690af0fe197a49f60d18e564a620b9ef81",
                  "status": "affected",
                  "version": "0228669d55c23a754d1ef11f49a32121129d5395",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "Phoenix Storybook must be mounted on a network-reachable route."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.1.0",
                      "versionStartIncluding": "0.2.0",
                      "vulnerable": true
                    }
                  ],
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Christian Blavier"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.\u003c/p\u003e\u003cp\u003eMultiple LiveView event handlers convert user-supplied event parameter strings to atoms using \u003ctt\u003eString.to_atom/1\u003c/tt\u003e without validation: \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3\u003c/tt\u003e interns every key of the \u003ctt\u003epsb-assign\u003c/tt\u003e params map; \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3\u003c/tt\u003e interns the \u003ctt\u003e\"attr\"\u003c/tt\u003e value from \u003ctt\u003epsb-toggle\u003c/tt\u003e events; \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2\u003c/tt\u003e interns elements of \u003ctt\u003e\"variation_id\"\u003c/tt\u003e; and \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4\u003c/tt\u003e interns raw string values for attributes declared as \u003ctt\u003e:atom\u003c/tt\u003e or \u003ctt\u003e:boolean\u003c/tt\u003e. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.2.0 before 1.1.0.\u003c/p\u003e"
                }
              ],
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.\n\nMultiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3 interns every key of the psb-assign params map; \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3 interns the \"attr\" value from psb-toggle events; \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2 interns elements of \"variation_id\"; and \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.\n\nThis issue affects phoenix_storybook from 0.2.0 before 1.1.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:55.927Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-8469.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-8469"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/phenixdigital/phoenix_storybook/commit/96d524690af0fe197a49f60d18e564a620b9ef81"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-8469",
        "datePublished": "2026-05-20T13:35:27.914Z",
        "dateReserved": "2026-05-13T11:44:43.316Z",
        "dateUpdated": "2026-05-27T15:40:55.927Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }