GHSA-mrhx-6pw9-q5fh · Severity: low · Ecosystem: erlang — PhoenixStorybook has cross-session PubSub topic injection via URL parameter
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process. This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
Conclusion & alert: CVE-2026-47068 is rated Low Risk (20.9/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.41%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.05% | 0.41% | +0.35% |
| 2 | 2026-05-26 | 0.04% | 0.05% | +0.01% |
| 3 | 2026-05-21 | — | 0.04% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 2.3 | 4.0 | LOW |
|
— | — | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db |
GHSA-mrhx-6pw9-q5fh · Severity: low · Ecosystem: erlang — PhoenixStorybook has cross-session PubSub topic injection via URL parameter
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| phenixdigital | phoenix_storybook | >= 0.4.0, < 1.1.0 | cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |