Common Weakness Enumeration

CWE-134

Allowed

Use of Externally-Controlled Format String

Abstraction: Base · Status: Draft

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

500 vulnerabilities reference this CWE, most recent first.

GHSA-J2R3-MQ93-52W3

Vulnerability from github – Published: 2022-05-01 07:10 – Updated: 2022-05-01 07:10
VLAI
Details

Format string vulnerability in the WriteText function in agl_text.cpp in Milan Mimica Sparklet 0.9.4 and earlier allows remote attackers to execute arbitrary code via format string specifiers in a player nickname.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-3573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-07-13T10:05:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the WriteText function in agl_text.cpp in Milan Mimica Sparklet 0.9.4 and earlier allows remote attackers to execute arbitrary code via format string specifiers in a player nickname.",
  "id": "GHSA-j2r3-mq93-52w3",
  "modified": "2022-05-01T07:10:28Z",
  "published": "2022-05-01T07:10:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-3573"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27603"
    },
    {
      "type": "WEB",
      "url": "http://aluigi.altervista.org/adv/sparkletfs-adv.txt"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/20974"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1016443"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/27038"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/439475/100/100/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/18862"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/18949"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/2695"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/2763"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J433-WPFX-CXG3

Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04
VLAI
Details

Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-09T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.",
  "id": "GHSA-j433-wpfx-cxg3",
  "modified": "2022-05-13T01:04:15Z",
  "published": "2022-05-13T01:04:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6508"
    },
    {
      "type": "WEB",
      "url": "https://puppet.com/security/cve/CVE-2018-6508"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J468-6FHG-5W3C

Vulnerability from github – Published: 2022-05-01 23:27 – Updated: 2025-04-09 03:52
VLAI
Details

Format string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-0072"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-03-06T00:44:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field.",
  "id": "GHSA-j468-6fhg-5w3c",
  "modified": "2025-04-09T03:52:10Z",
  "published": "2022-05-01T23:27:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0072"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41011"
    },
    {
      "type": "WEB",
      "url": "https://issues.rpath.com/browse/RPL-2310"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10701"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00190.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00195.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29057"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29163"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29210"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29244"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29258"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29264"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29317"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/30437"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/30491"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/secunia_research/2008-8/advisory"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200803-12.xml"
    },
    {
      "type": "WEB",
      "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0105"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2008/dsa-1512"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/512491"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:063"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0177.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0178.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/492684/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28102"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1019540"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/usn-583-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/0768/references"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J4JH-VHQ4-RGHJ

Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2022-10-27 19:00
VLAI
Details

Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted UPnP negotiation can lead to memory corruption, information disclosure, and denial of service. An attacker can host a malicious UPnP service to trigger these vulnerabilities.This vulnerability arises from format string injection via ST and Location HTTP response headers, as used within the DoEnumUPnPService action handler.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted UPnP negotiation can lead to memory corruption, information disclosure, and denial of service. An attacker can host a malicious UPnP service to trigger these vulnerabilities.This vulnerability arises from format string injection via `ST` and `Location` HTTP response headers, as used within the `DoEnumUPnPService` action handler.",
  "id": "GHSA-j4jh-vhq4-rghj",
  "modified": "2022-10-27T19:00:32Z",
  "published": "2022-10-25T19:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35878"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1583"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J5JP-WRF9-62RX

Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2022-10-27 19:00
VLAI
Details

Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted HTTP request can lead to memory corruption, information disclosure and denial of service. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability arises from format string injection via the default_key_id HTTP parameter, as used within the /action/wirelessConnect handler.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted HTTP request can lead to memory corruption, information disclosure and denial of service. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability arises from format string injection via the `default_key_id` HTTP parameter, as used within the `/action/wirelessConnect` handler.",
  "id": "GHSA-j5jp-wrf9-62rx",
  "modified": "2022-10-27T19:00:35Z",
  "published": "2022-10-25T19:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35887"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1585"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J683-V94G-H65C

Vulnerability from github – Published: 2023-02-01 18:30 – Updated: 2023-02-09 15:30
VLAI
Details

In BIG-IP starting in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5 on their respective branches, a format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-01T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In BIG-IP starting in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5 on their respective branches, a format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-j683-v94g-h65c",
  "modified": "2023-02-09T15:30:26Z",
  "published": "2023-02-01T18:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22374"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000130415"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J863-F9RP-WC8M

Vulnerability from github – Published: 2022-05-02 03:43 – Updated: 2022-05-02 03:43
VLAI
Details

Blocks/Common/Src/Configuration/Manageability/Adm/AdmContentBuilder.cs in Microsoft patterns & practices Enterprise Library (aka EntLib) allows context-dependent attackers to cause a denial of service (CPU consumption) via an input string composed of many \ (backslash) characters followed by a " (double quote), related to a certain regular expression, aka a "ReDoS" vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-3275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-09-21T19:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Blocks/Common/Src/Configuration/Manageability/Adm/AdmContentBuilder.cs in Microsoft patterns \u0026 practices Enterprise Library (aka EntLib) allows context-dependent attackers to cause a denial of service (CPU consumption) via an input string composed of many \\ (backslash) characters followed by a \" (double quote), related to a certain regular expression, aka a \"ReDoS\" vulnerability.",
  "id": "GHSA-j863-f9rp-wc8m",
  "modified": "2022-05-02T03:43:29Z",
  "published": "2022-05-02T03:43:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3275"
    },
    {
      "type": "WEB",
      "url": "http://www.checkmarx.com/Upload/Documents/PDF/Checkmarx_OWASP_IL_2009_ReDoS.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/506419/100/0/threaded"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J88J-Q5W5-7Q9P

Vulnerability from github – Published: 2026-07-14 00:31 – Updated: 2026-07-14 00:31
VLAI
Details

Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the parsing of JSON requests in the sonia binary. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-25884.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-13T22:16:45Z",
    "severity": "HIGH"
  },
  "details": "Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the parsing of JSON requests in the sonia binary. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-25884.",
  "id": "GHSA-j88j-q5w5-7q9p",
  "modified": "2026-07-14T00:31:01Z",
  "published": "2026-07-14T00:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15680"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-398"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCCC-47H3-6R27

Vulnerability from github – Published: 2022-05-02 06:12 – Updated: 2022-05-02 06:12
VLAI
Details

Format string vulnerability in the WebDAV implementation in webservd in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in the encoding attribute of the XML declaration in a PROPFIND request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-0388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-01-25T19:30:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the WebDAV implementation in webservd in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in the encoding attribute of the XML declaration in a PROPFIND request.",
  "id": "GHSA-jccc-47h3-6r27",
  "modified": "2022-05-02T06:12:19Z",
  "published": "2022-05-02T06:12:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0388"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55812"
    },
    {
      "type": "WEB",
      "url": "http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70-webdav.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/37910"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JFV6-C5MJ-2XVJ

Vulnerability from github – Published: 2022-05-17 05:41 – Updated: 2025-04-11 03:47
VLAI
Details

Format string vulnerability in ECTrace.dll in the iMailGateway service in the Internet Mail Gateway in OneBridge Server and DMZ Proxy in Sybase OneBridge Mobile Data Suite 5.5 and 5.6 allows remote attackers to execute arbitrary code via format string specifiers in unspecified string fields, related to authentication logging.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-2475"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-06-09T21:55:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in ECTrace.dll in the iMailGateway service in the Internet Mail Gateway in OneBridge Server and DMZ Proxy in Sybase OneBridge Mobile Data Suite 5.5 and 5.6 allows remote attackers to execute arbitrary code via format string specifiers in unspecified string fields, related to authentication logging.",
  "id": "GHSA-jfv6-c5mj-2xvj",
  "modified": "2025-04-11T03:47:42Z",
  "published": "2022-05-17T05:41:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2475"
    },
    {
      "type": "WEB",
      "url": "http://www.sybase.com/detail?id=1092074"
    },
    {
      "type": "WEB",
      "url": "http://zerodayinitiative.com/advisories/ZDI-11-171"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Requirements

Choose a language that is not subject to this flaw.

Mitigation
Implementation

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Mitigation
Build and Compilation

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CAPEC-135: Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

CAPEC-67: String Format Overflow in syslog()

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.