CVE-2026-47693
Received Received - Intake
CSV Injection in Poweradmin Log Export

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data β€” specifically the username field β€” is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration. Versions 4.2.4 and 4.3.3 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-47693
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
poweradmin poweradmin to 4.2.4|end_excluding=4.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Poweradmin, a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 have a CSV Injection (Formula Injection) issue in the log export functionality. Specifically, user-controlled data in the username field is written to exported CSV files without sanitizing characters that trigger formulas (=, +, -, @). When an administrator exports activity logs and opens the CSV file in spreadsheet applications like Microsoft Excel, LibreOffice Calc, or Google Sheets, any malicious formula embedded in the username is executed.

This can be exploited to perform phishing attacks against administrators or to exfiltrate data.

Impact Analysis

The vulnerability can lead to execution of malicious formulas when exported CSV files are opened by administrators in spreadsheet applications. This can result in phishing attacks targeting administrators or unauthorized data exfiltration.

Because the vulnerability involves executing arbitrary formulas, it can compromise the confidentiality and integrity of data managed through Poweradmin.

Detection Guidance

This vulnerability involves CSV Injection in the log export functionality of Poweradmin versions prior to 4.2.4 and 4.3.3, specifically through the username field in exported CSV files.

Detection can focus on examining exported CSV log files for the presence of formula trigger characters (=, +, -, @) at the start of username fields, which could indicate potential injection.

Since no specific commands or detection tools are provided in the available information, a manual inspection or custom script to scan exported CSV files for usernames starting with these characters can be used.

Mitigation Strategies

The immediate mitigation step is to upgrade Poweradmin to version 4.2.4 or 4.3.3, where this CSV Injection vulnerability has been patched.

Additionally, avoid opening exported CSV log files directly in spreadsheet applications without sanitizing or validating the username fields to prevent execution of malicious formulas.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47693. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart