CVE-2026-47693

MEDIUM 6.9

Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications

CVSS Score

6.9

EPSS Score

0.0%

EPSS Percentile

0th

Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration. Versions 4.2.4 and 4.3.3 patch the issue.

CWE	CWE-1236
Vendor	poweradmin
Product	poweradmin
Published	Jun 23, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for poweradmin poweradmin

Be the first to know when new medium vulnerabilities affecting poweradmin poweradmin are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

poweradmin / poweradmin

< 4.2.4 >= 4.3.0, < 4.3.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x github.com: https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4 github.com: https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3