Poweradmin v4.4.0 CSV Injection and Path Disclosure in Log Export

CSV Injection (Formula Injection) vulnerability in log export: user-controlled username field written to CSV without sanitizing formula trigger characters (=, +, -, @). PHP deprecation warnings emitted before CSV headers, exposing internal file paths.

Administrators who export activity logs to CSV and open them in spreadsheet applications (Microsoft Excel, LibreOffice Calc, Google Sheets).

Update Poweradmin to a patched version once available. Alternatively, manually sanitize exported CSV files by prefixing formula trigger characters with a single quote or tab before opening in a spreadsheet.