Skip to content

Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications

Moderate severity GitHub Reviewed Published Jun 7, 2026 in poweradmin/poweradmin • Updated Jun 8, 2026

Package

composer poweradmin/poweradmin (Composer)

Affected versions

< 4.2.4
>= 4.3.0, < 4.3.3

Patched versions

4.2.4
4.3.3

Description

Description:

Summary

Poweradmin v4.4.0 is vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration.

Details

The vulnerability exists in all four log export controllers:

  • lib/Application/Controller/ListLogUsersController.php (lines 188, 194)
  • lib/Application/Controller/ListLogZonesController.php
  • lib/Application/Controller/ListLogGroupsController.php
  • lib/Application/Controller/ListLogApiController.php

These controllers export database rows via fputcsv() without applying any formula injection countermeasures. The user column contains the username of the actor who performed the operation, and the username column (in user logs) contains the username of the affected account. Both fields are written verbatim to the CSV output.

A username such as =1+1 is written without CSV enclosure quotes (because it contains no commas or quotes), so spreadsheet applications treat it directly as a formula. A username containing commas or quotes (e.g. =HYPERLINK("http://attacker.com","Click here")) is enclosed in CSV quotes with internal quotes doubled, but spreadsheet applications still evaluate the cell value as a formula since it begins with =.

Additionally, PHP deprecation warnings are emitted directly into the HTTP response body before CSV headers, exposing internal file paths (e.g. /app/lib/Application/Controller/ListLogUsersController.php) — a secondary information disclosure issue (CWE-209). This also corrupts the CSV file when PHP error reporting is enabled.

PoC

Prerequisites: An account with user_add_new permission (administrator role).

Steps to reproduce:

  1. Log in as administrator.
  2. Navigate to Add User and create an account with:
    • Username: =HYPERLINK("http://attacker.com","Confirm Identity")
    • Any valid email and password
  3. Log out, then log in with the newly created account to generate a log entry.
  4. Log back in as administrator.
  5. Navigate to /users/logs and click Export CSV.
  6. Open the downloaded CSV file in Microsoft Excel or LibreOffice Calc.

Result: Excel renders a clickable hyperlink labeled "Confirm Identity" pointing to http://attacker.com in the user column of the log entry. With the simpler username =1+1, the cell displays 2 instead of the literal text, confirming formula execution.

Confirmed on Poweradmin v4.4.0 (Docker image poweradmin/poweradmin:latest).

Impact

This is a CSV Injection vulnerability (CWE-1236). It affects any administrator who exports activity logs to CSV and opens the file in a spreadsheet application.

Attack scenarios:

  • Phishing: A malicious actor with the ability to create user accounts sets a formula username that renders as a convincing link in the exported report, tricking a higher-privileged administrator into clicking it.
  • Data exfiltration: Using =IMPORTXML() in Google Sheets or similar, adjacent cell data (log contents) can be sent to an attacker-controlled server silently when the sheet is opened.

References

@edmondas edmondas published to poweradmin/poweradmin Jun 7, 2026
Published to the GitHub Advisory Database Jun 8, 2026
Reviewed Jun 8, 2026
Last updated Jun 8, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(10th percentile)

Weaknesses

Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Learn more on MITRE.

CVE ID

CVE-2026-47693

GHSA ID

GHSA-3h6h-67x3-cv5x

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.