Threat Advisory

PhoenixStorybook Vulnerability Enables Remote Code Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in PhoenixStorybook (erlang/phoenix_storybook) versions 0.2.0 through 1.0.x (>= 0.2.0, < 1.1.0). The flaws include unbounded atom creation leading to denial‑of‑service, and unsanitized HEEx template interpolation resulting in remote code execution. Both issues can be triggered by unauthenticated users sending specially crafted LiveView events to the storybook playground. An attacker can exhaust the BEAM atom table, causing the entire Erlang VM to crash, or inject arbitrary Elixir code that runs with the privileges of the server process. The business impact ranges from service outage to full system compromise.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in PhoenixStorybook (erlang/phoenix_storybook) versions 0.2.0 through 1.0.x (>= 0.2.0, < 1.1.0). The flaws include unbounded atom creation leading to denial‑of‑service, and unsanitized HEEx template interpolation resulting in remote code execution. Both issues can be triggered by unauthenticated users sending specially crafted LiveView events to the storybook playground. An attacker can exhaust the BEAM atom table, causing the entire Erlang VM to crash, or inject arbitrary Elixir code that runs with the privileges of the server process. The business impact ranges from service outage to full system compromise.[emaillocker id="1283"]

  • CVE-2026-8469 with a CVSS score of 8.2 – This unbounded atom creation flaw in PhoenixStorybook allows an unauthenticated attacker to send crafted LiveView events (psb‑assign, psb‑toggle, etc.) that are converted to atoms via String.to_atom/1, eventually filling the BEAM atom table and causing the VM to abort. No authentication beyond reaching the storybook route is required.
  • CVE-2026-8467 with a CVSS score of 9.5 – This remote code execution issue arises from unsanitized attribute values in WebSocket‑delivered psb‑assign events being interpolated into a HEEx template, compiled and evaluated without sandboxing, enabling an attacker to run arbitrary Elixir code and system commands. Exploitation only requires access to the public storybook playground endpoint.

Both vulnerabilities present an immediate and severe threat because they can be exploited without authentication, potentially causing total service disruption or full server compromise. Organizations running PhoenixStorybook should treat the findings as critical and prioritize rapid response to avoid downtime, data loss, and unauthorized code execution.

RECOMMENDATION:

  • We recommend you to update phoenix_storybook to version 1.1.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-833p-95jq-929q
https://github.com/advisories/GHSA-55hg-8qxv-qj4p

[/emaillocker]
crossmenu