The vulnerability in phoenix_storybook occurs in the psb-assign WebSocket event handler within 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3, which accepts arbitrary attribute names and values from unauthenticated clients. These values are passed without sanitization to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3 and stored verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates these attribute values directly into HEEx template strings without escaping double quotes or HEEx expression delimiters. An attacker can craft an attribute value containing a closing quote followed by a HEEx expression block, causing the expression to be compiled and executed with full Kernel imports and no sandbox restrictions. This results in unauthenticated remote code execution on the server. The issue affects phoenix_storybook versions from 0.5.0 up to but not including 1.1.0. No vendor advisory or patch links are currently available.

Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on the server hosting phoenix_storybook, potentially leading to full system compromise. The vulnerability has a CVSS 4.0 score of 9.5, reflecting critical impact with network attack vector, low attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, availability, and security requirements. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid exposing the vulnerable phoenix_storybook versions to untrusted networks or unauthenticated users. Consider implementing network-level access controls or disabling the vulnerable WebSocket event handler if possible. Monitor vendor channels for updates and apply patches promptly once available.