CVE-2026-8469

Published: Mag 20, 2026 Last Modified: Mag 20, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,2

Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.

Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the 'attr' value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of 'variation_id'; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.

This issue affects phoenix_storybook from 0.2.0 before 1.1.0.