Vulnerability-Lookup

CVE-2026-47693 (GCVE-0-2026-47693)

Vulnerability from cvelistv5 – Published: 2026-06-23 22:07 – Updated: 2026-06-24 14:46

Title

Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications

Summary

Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration. Versions 4.2.4 and 4.3.3 patch the issue.

Severity

6.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/poweradmin/poweradmin/security…	x_refsource_CONFIRM
https://github.com/poweradmin/poweradmin/releases…	x_refsource_MISC
https://github.com/poweradmin/poweradmin/releases…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
poweradmin	poweradmin	Affected: < 4.2.4 Affected: >= 4.3.0, < 4.3.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47693",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T14:45:52.225041Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T14:46:24.461Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "poweradmin",
          "vendor": "poweradmin",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.2.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.3.0, \u003c 4.3.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data \u2014 specifically the username field \u2014 is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration. Versions 4.2.4 and 4.3.3 patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1236",
              "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T22:09:15.910Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x"
        },
        {
          "name": "https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4"
        },
        {
          "name": "https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3"
        }
      ],
      "source": {
        "advisory": "GHSA-3h6h-67x3-cv5x",
        "discovery": "UNKNOWN"
      },
      "title": "Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47693",
    "datePublished": "2026-06-23T22:07:25.569Z",
    "dateReserved": "2026-05-19T21:18:20.403Z",
    "dateUpdated": "2026-06-24T14:46:24.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-47693",
      "date": "2026-06-24",
      "epss": "0.00229",
      "percentile": "0.13443"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-47693\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-24T14:45:52.225041Z\"}}}], \"references\": [{\"url\": \"https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-24T14:46:15.245Z\"}}], \"cna\": {\"title\": \"Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications\", \"source\": {\"advisory\": \"GHSA-3h6h-67x3-cv5x\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"poweradmin\", \"product\": \"poweradmin\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.2.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.3.0, \u003c 4.3.3\"}]}], \"references\": [{\"url\": \"https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x\", \"name\": \"https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4\", \"name\": \"https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3\", \"name\": \"https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data \\u2014 specifically the username field \\u2014 is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration. Versions 4.2.4 and 4.3.3 patch the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1236\", \"description\": \"CWE-1236: Improper Neutralization of Formula Elements in a CSV File\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-23T22:09:15.910Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-47693\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-24T14:46:24.461Z\", \"dateReserved\": \"2026-05-19T21:18:20.403Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-23T22:07:25.569Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-3H6H-67X3-CV5X

Vulnerability from github – Published: 2026-06-08 23:04 – Updated: 2026-06-08 23:04

Summary

Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications

Details

Description:

Summary

Poweradmin v4.4.0 is vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration.

Details

The vulnerability exists in all four log export controllers:

lib/Application/Controller/ListLogUsersController.php (lines 188, 194)
lib/Application/Controller/ListLogZonesController.php
lib/Application/Controller/ListLogGroupsController.php
lib/Application/Controller/ListLogApiController.php

These controllers export database rows via fputcsv() without applying any formula injection countermeasures. The user column contains the username of the actor who performed the operation, and the username column (in user logs) contains the username of the affected account. Both fields are written verbatim to the CSV output.

A username such as =1+1 is written without CSV enclosure quotes (because it contains no commas or quotes), so spreadsheet applications treat it directly as a formula. A username containing commas or quotes (e.g. =HYPERLINK("http://attacker.com","Click here")) is enclosed in CSV quotes with internal quotes doubled, but spreadsheet applications still evaluate the cell value as a formula since it begins with =.

Additionally, PHP deprecation warnings are emitted directly into the HTTP response body before CSV headers, exposing internal file paths (e.g. /app/lib/Application/Controller/ListLogUsersController.php) — a secondary information disclosure issue (CWE-209). This also corrupts the CSV file when PHP error reporting is enabled.

PoC

Prerequisites: An account with user_add_new permission (administrator role).

Steps to reproduce:

Log in as administrator.
Navigate to Add User and create an account with:
Username: =HYPERLINK("http://attacker.com","Confirm Identity")
Any valid email and password
Log out, then log in with the newly created account to generate a log entry.
Log back in as administrator.
Navigate to /users/logs and click Export CSV.
Open the downloaded CSV file in Microsoft Excel or LibreOffice Calc.

Result: Excel renders a clickable hyperlink labeled "Confirm Identity" pointing to http://attacker.com in the user column of the log entry. With the simpler username =1+1, the cell displays 2 instead of the literal text, confirming formula execution.

Confirmed on Poweradmin v4.4.0 (Docker image poweradmin/poweradmin:latest).

Impact

This is a CSV Injection vulnerability (CWE-1236). It affects any administrator who exports activity logs to CSV and opens the file in a spreadsheet application.

Attack scenarios:

Phishing: A malicious actor with the ability to create user accounts sets a formula username that renders as a convincing link in the exported report, tricking a higher-privileged administrator into clicking it.
Data exfiltration: Using =IMPORTXML() in Google Sheets or similar, adjacent cell data (log contents) can be sent to an attacker-controlled server silently when the sheet is opened.

Severity

6.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "poweradmin/poweradmin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "poweradmin/poweradmin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-08T23:04:25Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Description:\n\n### Summary\n\nPoweradmin v4.4.0 is vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data \u2014 specifically the username field \u2014 is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration.\n\n### Details\n\nThe vulnerability exists in all four log export controllers:\n\n- `lib/Application/Controller/ListLogUsersController.php` (lines 188, 194)\n- `lib/Application/Controller/ListLogZonesController.php`\n- `lib/Application/Controller/ListLogGroupsController.php`\n- `lib/Application/Controller/ListLogApiController.php`\n\nThese controllers export database rows via `fputcsv()` without applying any formula injection countermeasures. The `user` column contains the username of the actor who performed the operation, and the `username` column (in user logs) contains the username of the affected account. Both fields are written verbatim to the CSV output.\n\nA username such as `=1+1` is written **without CSV enclosure quotes** (because it contains no commas or quotes), so spreadsheet applications treat it directly as a formula. A username containing commas or quotes (e.g. `=HYPERLINK(\"http://attacker.com\",\"Click here\")`) is enclosed in CSV quotes with internal quotes doubled, but spreadsheet applications still evaluate the cell value as a formula since it begins with `=`.\n\nAdditionally, PHP deprecation warnings are emitted directly into the HTTP response body before CSV headers, exposing internal file paths (e.g. `/app/lib/Application/Controller/ListLogUsersController.php`) \u2014 a secondary information disclosure issue (CWE-209). This also corrupts the CSV file when PHP error reporting is enabled.\n\n### PoC\n\n**Prerequisites:** An account with `user_add_new` permission (administrator role).\n\n**Steps to reproduce:**\n\n1. Log in as administrator.\n2. Navigate to Add User and create an account with:\n   - Username: `=HYPERLINK(\"http://attacker.com\",\"Confirm Identity\")`\n   - Any valid email and password\n3. Log out, then log in with the newly created account to generate a log entry.\n4. Log back in as administrator.\n5. Navigate to `/users/logs` and click Export CSV.\n6. Open the downloaded CSV file in Microsoft Excel or LibreOffice Calc.\n\n**Result:** Excel renders a clickable hyperlink labeled \"Confirm Identity\" pointing to `http://attacker.com` in the `user` column of the log entry. With the simpler username `=1+1`, the cell displays `2` instead of the literal text, confirming formula execution.\n\nConfirmed on Poweradmin v4.4.0 (Docker image `poweradmin/poweradmin:latest`).\n\n### Impact\n\nThis is a CSV Injection vulnerability (CWE-1236). It affects any administrator who exports activity logs to CSV and opens the file in a spreadsheet application.\n\n**Attack scenarios:**\n\n- **Phishing:** A malicious actor with the ability to create user accounts sets a formula username that renders as a convincing link in the exported report, tricking a higher-privileged administrator into clicking it.\n- **Data exfiltration:** Using `=IMPORTXML()` in Google Sheets or similar, adjacent cell data (log contents) can be sent to an attacker-controlled server silently when the sheet is opened.",
  "id": "GHSA-3h6h-67x3-cv5x",
  "modified": "2026-06-08T23:04:25Z",
  "published": "2026-06-08T23:04:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/poweradmin/poweradmin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-47693 (GCVE-0-2026-47693)

GHSA-3H6H-67X3-CV5X

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature