A critical vulnerability in Poweradmin, tracked as CVE-2026-54588, poses a severe risk as it allows attackers to take over DNS administrator accounts through host header injection. The CVSS score is 9.6, indicating critical severity. Affected versions include those before 4.2.4 and between 4.3.0 and 4.3.2. The exploitation involves utilizing a spoofed Host header to manipulate login flows, enabling attackers to intercept authorization codes without requiring a password. While no active exploitation has been reported, users are advised to update to versions 4.2.4 or 4.3.3 to mitigate the risk.
Poweradmin Host Header Injection Lets Attackers Hijack DNS Accounts
CyberSIXT Evidence Panel
Source marked as original reporting
Article by CyberSIXT