Poweradmin is a web‑based DNS administration tool for PowerDNS servers. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV injection (Formula Injection) through its log export functionality. User‑controlled data—specifically the username field—is written to exported CSV files without sanitizing formula trigger characters such as =, +, -, and @. When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application, enabling phishing attacks against administrators or data exfiltration. The flaw matches CWE‑1236, a CSV injection weakness.

Poweradmin, the web-based DNS administration tool for PowerDNS servers, is affected. Versions prior to 4.2.4 and 4.3.3 are vulnerable because the log export functionality writes user-controlled username data to CSV files without sanitization. Exporting logs and opening them in spreadsheet applications exposes administrators to formula execution. The patched releases 4.2.4 and 4.3.3 incorporate proper sanitization of user data before embedding it into CSV files.

The CVSS base score is 6.9, indicating a medium severity risk. EPSS is not available and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires an attacker to supply a username containing a formula trigger and for the victim administrator to export log data and view the file in a spreadsheet application. Because this requires the administrator to open the CSV, the risk depends on user behavior; however the potential for phishing or unintended code execution makes the vulnerability noteworthy for organizations that rely on Poweradmin for DNS management.