CSV Injection Vulnerability in Poweradmin DNS Management Tool by PowerDNS
CVE-2026-47693

6.9MEDIUM

Key Information:

Vendor

Poweradmin

Status
Poweradmin
Vendor
CVE Published:
23 June 2026

What is CVE-2026-47693?

Poweradmin, a web-based DNS administration tool for PowerDNS servers, is susceptible to CSV Injection through its log export feature. Specifically, this issue arises when user-related data, particularly from the username field, is exported to CSV files without adequate sanitization of formula-triggering characters such as '=', '+', '-', and '@'. As a result, when the exported CSV file is opened in common spreadsheet applications, any formula embedded in the username can be executed, potentially enabling phishing attacks against administrators or leading to unauthorized data exfiltration. The vulnerability is addressed in Poweradmin versions 4.2.4 and 4.3.3.

Affected Version(s)

poweradmin < 4.2.4 < 4.2.4

poweradmin >= 4.3.0, < 4.3.3 < 4.3.0, 4.3.3

References

https://github.com/poweradmin/poweradmin/security/advisor...
x_refsource_CONFIRM
https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4
x_refsource_MISC
https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3
x_refsource_MISC

CVSS V3.1

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.