CWE-134
AllowedUse of Externally-Controlled Format String
Abstraction: Base · Status: Draft
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
499 vulnerabilities reference this CWE, most recent first.
GHSA-PGJF-23QM-F427
Vulnerability from github – Published: 2026-06-16 12:32 – Updated: 2026-06-16 12:32A format string vulnerability has been found in the "alias" parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior. This vulnerability stems from insufficient input validation and improper handling of externally supplied format strings. An attacker could exploit this vulnerability by sending crafted input to the web service, causing unintended memory disclosure. Successful exploitation may allow an attacker to leak sensitive memory contents and determine critical memory addresses, potentially bypassing Address Space Layout Randomization (ASLR) protections.
{
"affected": [],
"aliases": [
"CVE-2026-10828"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T12:16:24Z",
"severity": "MODERATE"
},
"details": "A format string vulnerability has been found in the \"alias\" parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior. This vulnerability stems from insufficient input validation and improper handling of externally supplied format strings. An attacker could exploit this vulnerability by sending crafted input to the web service, causing unintended memory disclosure. Successful exploitation may allow an attacker to leak sensitive memory contents and determine critical memory addresses, potentially bypassing Address Space Layout Randomization (ASLR) protections.",
"id": "GHSA-pgjf-23qm-f427",
"modified": "2026-06-16T12:32:01Z",
"published": "2026-06-16T12:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10828"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261910-cve-2026-10828,-cve-2026-10829-use-of-externally-controlled-format-string-and-stack-based-buffer-overflow-v"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PH8M-X93X-PX88
Vulnerability from github – Published: 2021-12-07 00:00 – Updated: 2022-11-23 03:30An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A crafted HTTP request could induce a format string vulnerability in the privileged vaultServer application.
{
"affected": [],
"aliases": [
"CVE-2021-43041"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-06T04:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A crafted HTTP request could induce a format string vulnerability in the privileged vaultServer application.",
"id": "GHSA-ph8m-x93x-px88",
"modified": "2022-11-23T03:30:22Z",
"published": "2021-12-07T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43041"
},
{
"type": "WEB",
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961"
},
{
"type": "WEB",
"url": "https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1"
},
{
"type": "WEB",
"url": "https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PHM5-XV24-X889
Vulnerability from github – Published: 2022-06-14 00:00 – Updated: 2022-06-28 00:00The voice wakeup module has a vulnerability of using externally-controlled format strings. Successful exploitation of this vulnerability may affect system availability.
{
"affected": [],
"aliases": [
"CVE-2022-31753"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-13T16:15:00Z",
"severity": "HIGH"
},
"details": "The voice wakeup module has a vulnerability of using externally-controlled format strings. Successful exploitation of this vulnerability may affect system availability.",
"id": "GHSA-phm5-xv24-x889",
"modified": "2022-06-28T00:00:59Z",
"published": "2022-06-14T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31753"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/6"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202206-0000001270350482"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PJC4-2X49-3J92
Vulnerability from github – Published: 2023-09-07 09:30 – Updated: 2024-03-27 09:30It is identified a format string vulnerability in ASUS RT-AX56U V2’s iperf client function API. This vulnerability is caused by lacking validation for a specific value within its set_iperf3_cli.cgi module. An unauthenticated remote attacker can exploit this vulnerability without privilege to perform remote arbitrary code execution, arbitrary system operation or disrupt service.
{
"affected": [],
"aliases": [
"CVE-2023-39240"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-07T08:15:07Z",
"severity": "HIGH"
},
"details": "\nIt is identified a format string vulnerability in ASUS RT-AX56U V2\u2019s iperf client function API. This vulnerability is caused by lacking validation for a specific value within its set_iperf3_cli.cgi module. An unauthenticated remote attacker can exploit this vulnerability without privilege to perform remote arbitrary code execution, arbitrary system operation or disrupt service.\n\n",
"id": "GHSA-pjc4-2x49-3j92",
"modified": "2024-03-27T09:30:39Z",
"published": "2023-09-07T09:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39240"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7356-021bf-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PM8G-J2PP-65H6
Vulnerability from github – Published: 2022-05-01 23:42 – Updated: 2022-05-01 23:42Format string vulnerability in the logging function in IBM solidDB 06.00.1018 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the (1) user name, (2) peer name, and possibly unspecified other fields.
{
"affected": [],
"aliases": [
"CVE-2008-1705"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-04-09T19:05:00Z",
"severity": "MODERATE"
},
"details": "Format string vulnerability in the logging function in IBM solidDB 06.00.1018 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the (1) user name, (2) peer name, and possibly unspecified other fields.",
"id": "GHSA-pm8g-j2pp-65h6",
"modified": "2022-05-01T23:42:38Z",
"published": "2022-05-01T23:42:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1705"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41485"
},
{
"type": "WEB",
"url": "http://aluigi.altervista.org/adv/soliduro-adv.txt"
},
{
"type": "WEB",
"url": "http://aluigi.org/poc/soliduro.zip"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/29512"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1019721"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/490129/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/28468"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/1038"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PM9X-2X8V-8WW4
Vulnerability from github – Published: 2022-05-13 01:29 – Updated: 2022-05-13 01:29The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling.
{
"affected": [],
"aliases": [
"CVE-2018-16554"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-16T02:29:00Z",
"severity": "HIGH"
},
"details": "The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling.",
"id": "GHSA-pm9x-2x8v-8ww4",
"modified": "2022-05-13T01:29:06Z",
"published": "2022-05-13T01:29:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16554"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908176"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00037.html"
},
{
"type": "WEB",
"url": "https://nimo-zhang.github.io/2018/09/07/bug-analysis-1/#more"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PMHC-782W-QWJV
Vulnerability from github – Published: 2022-05-14 01:22 – Updated: 2022-05-14 01:22When using an incomplete variable argument, Irssi before 1.0.6 may access data beyond the end of the string.
{
"affected": [],
"aliases": [
"CVE-2018-5207"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-06T16:29:00Z",
"severity": "HIGH"
},
"details": "When using an incomplete variable argument, Irssi before 1.0.6 may access data beyond the end of the string.",
"id": "GHSA-pmhc-782w-qwjv",
"modified": "2022-05-14T01:22:28Z",
"published": "2022-05-14T01:22:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5207"
},
{
"type": "WEB",
"url": "https://irssi.org/security/irssi_sa_2018_01.txt"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4162"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PMJ5-P8GW-HPGQ
Vulnerability from github – Published: 2026-06-06 00:31 – Updated: 2026-06-06 00:31An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.
Successful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation.
{
"affected": [],
"aliases": [
"CVE-2026-6241"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-06T00:16:41Z",
"severity": "MODERATE"
},
"details": "An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.\n\nSuccessful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation.",
"id": "GHSA-pmj5-p8gw-hpgq",
"modified": "2026-06-06T00:31:38Z",
"published": "2026-06-06T00:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6241"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/us/support/faq/5120"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PRR8-97X3-2662
Vulnerability from github – Published: 2022-05-01 06:59 – Updated: 2025-04-03 04:32Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.
{
"affected": [],
"aliases": [
"CVE-2006-2480"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2006-05-19T21:02:00Z",
"severity": "MODERATE"
},
"details": "Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.",
"id": "GHSA-prr8-97x3-2662",
"modified": "2025-04-03T04:32:48Z",
"published": "2022-05-01T06:59:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2006-2480"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11224"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/286-1"
},
{
"type": "WEB",
"url": "http://bugzilla.gnome.org/show_bug.cgi?id=342111"
},
{
"type": "WEB",
"url": "http://kandangjamur.net/tutorial/dia.txt"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20199"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20254"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20339"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20422"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20457"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20513"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1016203"
},
{
"type": "WEB",
"url": "http://www.gentoo.org/security/en/glsa/glsa-200606-03.xml"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2006:093"
},
{
"type": "WEB",
"url": "http://www.novell.com/linux/security/advisories/2006-06-02.html"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/25699"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2006-0541.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/82/433313/30/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/18078"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2006/1908"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PV2R-85QJ-VW79
Vulnerability from github – Published: 2022-05-14 01:54 – Updated: 2022-05-14 01:54Format string vulnerability in VPN in Apple iOS before 5.1 allows remote attackers to execute arbitrary code via a crafted racoon configuration file.
{
"affected": [],
"aliases": [
"CVE-2012-0646"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-03-08T22:55:00Z",
"severity": "HIGH"
},
"details": "Format string vulnerability in VPN in Apple iOS before 5.1 allows remote attackers to execute arbitrary code via a crafted racoon configuration file.",
"id": "GHSA-pv2r-85qj-vw79",
"modified": "2022-05-14T01:54:56Z",
"published": "2022-05-14T01:54:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0646"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2012/Mar/msg00001.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48288"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1026774"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Choose a language that is not subject to this flaw.
Mitigation
Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Mitigation
Run compilers and linkers with high warning levels, since they may detect incorrect usage.
CAPEC-135: Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.
CAPEC-67: String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.