External risk intelligence

Code injection in phoenix_storybook can let attackers run any code on your server.

CVE advisorySeverity: CRITICAL (CVSS 9.5)

CVE-2026-8467

An external attacker can exploit Phoenix Storybook to run malicious code on your server. This flaw could allow them to gain full administrative control, leading to unauthorized access to sensitive data and critical system infrastructure.

2Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-8467

This vulnerability affects a component preview tool intended for development and design workflows. Such services are typically restricted to internal networks, build environments, or local workstations, making public internet exposure uncommon for typical, properly secured deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows attackers to run arbitrary code on your server. It happens when the phoenix_storybook tool improperly handles inputs, which can then be used to execute malicious commands.

  • Remote execution possible.
  • Affects development tools.
  • Unauthenticated attack vector.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can execute arbitrary code on a server running a vulnerable version of phoenix_storybook. This is achieved by exploiting a flaw in how WebSocket event data is handled, allowing malicious input to be interpolated directly into HEEx templates, which are then compiled and executed.

  • Unauthenticated network access required.
  • Target the WebSocket interface.
  • Exploit HEEx template injection.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability, impacting a component preview tool, is unlikely to be weaponized by widespread attackers due to its specific use case. Exploiting this would likely require an attacker to first gain access to the development or internal environment where the tool is running, rather than targeting public-facing infrastructure.

  • Affects development tool.
  • Requires internal network access.
  • No public exploit code known.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize the upgrade of `phoenix_storybook` to version 1.1.0 to address the critical code injection vulnerability, as this directly remediates the root cause. If immediate patching is not feasible due to operational constraints, implement network segmentation and stringent access controls to isolate affected development or staging environments.

  • Upgrade to version 1.1.0.
  • Isolate development/staging environments.
  • Monitor for suspicious network activity.

Frequently asked questions

What is phenixdigital phoenix_storybook and what is it used for?

phenixdigital phoenix_storybook is a tool used in software development, specifically for creating and previewing UI components. It helps developers visualize and test individual parts of an application's user interface during the design and development process.

How does CVE-2026-8467 let attackers run code?

CVE-2026-8467 is a code injection vulnerability. It arises because the software doesn't properly sanitize user-supplied data when generating HEEx templates. An attacker can craft input that, when rendered, includes malicious Elixir code, which the server then executes.

What are the attacker's preconditions to trigger this vulnerability?

An attacker needs to send unsanitized data through the psb-assign WebSocket event handler. It's not triggered by simply visiting a webpage; the attacker must interact with the specific WebSocket interface designed for component previews.

Who should be concerned about this threat advisory?

Organizations using phenixdigital phoenix_storybook, especially those where it might be accessible from internal networks or development environments, should be concerned. Halo classifies this as an external threat because it can be exploited over a network, even if typically used internally. [cite:haloSurfaceSignal]

What is the first step to respond to this threat?

The immediate and most effective step is to upgrade phenixdigital phoenix_storybook to version 1.1.0 or later. This upgrade addresses the underlying flaw that allows for code injection.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified