CWE-134
Use of Externally-Controlled Format String
Description
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-135 · CAPEC-67
CVEs mapped to this weakness (252)
page 1 of 13| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-10055 | — | Cri | 0.69 | — | 0.02 | Aug 13, 2025 | ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically… | |
| CVE-2018-6317 | Cri | 0.66 | 9.1 | 0.44 | Feb 2, 2018 | The remote management interface in Claymore Dual Miner 10.5 and earlier is vulnerable to an unauthenticated format string vulnerability, allowing remote attackers to read memory or cause a denial of service. | ||
| CVE-2026-50211 | Cri | 0.64 | 9.8 | 0.00 | Jun 4, 2026 | Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers. | ||
| CVE-2018-0175 | Hig | 0.64 | 8.0 | 0.04 | KEV | Mar 28, 2018 | Format String vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with… | |
| CVE-2017-17407 | Cri | 0.64 | 9.8 | 0.04 | Jan 23, 2018 | This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager v7.2.699 build 1001. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the content… | ||
| CVE-2017-16608 | Cri | 0.64 | 9.8 | 0.04 | Jan 23, 2018 | This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within exec.jsp. The issue results from the lack of proper… | ||
| CVE-2017-12588 | Cri | 0.64 | 9.8 | 0.03 | Aug 6, 2017 | The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact. | ||
| CVE-2017-10685 | Cri | 0.64 | 9.8 | 0.04 | Jun 29, 2017 | In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. | ||
| CVE-2016-5074 | Cri | 0.64 | 9.8 | 0.01 | Apr 10, 2017 | CloudView NMS before 2.10a has a format string issue exploitable over SNMP. | ||
| CVE-2015-7271 | Cri | 0.64 | 9.8 | 0.03 | Apr 10, 2017 | Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has a format string issue in racadm getsystinfo. | ||
| CVE-2016-4448 | Cri | 0.64 | 9.8 | 0.07 | Jun 9, 2016 | Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. | ||
| CVE-2011-10029 | Hig | 0.63 | — | 0.01 | Aug 20, 2025 | Solar FTP Server fails to properly handle format strings passed to the USER command. When a specially crafted string containing format specifiers is sent, the server crashes due to a read access violation in the __output_1() function of sfsservice.exe. This results in a denial… | ||
| CVE-2018-5704 | Cri | 0.63 | 9.6 | 0.05 | Jan 16, 2018 | Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote attackers to conduct cross-protocol scripting attacks, and consequently execute arbitrary commands, via a crafted web site. | ||
| CVE-2015-8617 | Cri | 0.62 | 9.8 | 0.24 | Jan 19, 2016 | Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling. | ||
| CVE-2024-9129 | Cri | 0.60 | — | 0.00 | Oct 22, 2024 | In versions of Zend Server 8.5 and prior to version 9.2 a format string injection was discovered. Reported by Dylan Marino | ||
| CVE-2017-0898 | Cri | 0.60 | 9.1 | 0.10 | Sep 15, 2017 | Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap. | ||
| CVE-2024-35845 | Cri | 0.59 | 9.1 | 0.01 | May 17, 2024 | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dbg-tlv: ensure NUL termination The iwl_fw_ini_debug_info_tlv is used as a string, so we must ensure the string is terminated correctly before using it. | ||
| CVE-2018-7544 | Cri | 0.59 | 9.1 | 0.02 | Mar 16, 2018 | A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands,… | ||
| CVE-2010-10017 | Hig | 0.58 | — | 0.00 | Aug 30, 2025 | WM Downloader version 3.1.2.2 is vulnerable to a buffer overflow when processing a specially crafted .m3u playlist file. The application fails to properly validate input length, allowing an attacker to overwrite structured exception handler (SEH) records and execute arbitrary… | ||
| CVE-2026-12174 | Hig | 0.57 | 8.8 | 0.01 | Jun 13, 2026 | A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation of the argument data leads to format string. The attack may be launched remotely.… |
- risk 0.69cvss —epss 0.02
ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically…
- risk 0.66cvss 9.1epss 0.44
The remote management interface in Claymore Dual Miner 10.5 and earlier is vulnerable to an unauthenticated format string vulnerability, allowing remote attackers to read memory or cause a denial of service.
- risk 0.64cvss 9.8epss 0.00
Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers.
- risk 0.64cvss 8.0epss 0.04
Format String vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with…
- risk 0.64cvss 9.8epss 0.04
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager v7.2.699 build 1001. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the content…
- risk 0.64cvss 9.8epss 0.04
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within exec.jsp. The issue results from the lack of proper…
- risk 0.64cvss 9.8epss 0.03
The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.
- risk 0.64cvss 9.8epss 0.04
In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.
- risk 0.64cvss 9.8epss 0.01
CloudView NMS before 2.10a has a format string issue exploitable over SNMP.
- risk 0.64cvss 9.8epss 0.03
Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has a format string issue in racadm getsystinfo.
- risk 0.64cvss 9.8epss 0.07
Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
- risk 0.63cvss —epss 0.01
Solar FTP Server fails to properly handle format strings passed to the USER command. When a specially crafted string containing format specifiers is sent, the server crashes due to a read access violation in the __output_1() function of sfsservice.exe. This results in a denial…
- risk 0.63cvss 9.6epss 0.05
Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote attackers to conduct cross-protocol scripting attacks, and consequently execute arbitrary commands, via a crafted web site.
- risk 0.62cvss 9.8epss 0.24
Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.
- risk 0.60cvss —epss 0.00
In versions of Zend Server 8.5 and prior to version 9.2 a format string injection was discovered. Reported by Dylan Marino
- risk 0.60cvss 9.1epss 0.10
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.
- risk 0.59cvss 9.1epss 0.01
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dbg-tlv: ensure NUL termination The iwl_fw_ini_debug_info_tlv is used as a string, so we must ensure the string is terminated correctly before using it.
- risk 0.59cvss 9.1epss 0.02
A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands,…
- risk 0.58cvss —epss 0.00
WM Downloader version 3.1.2.2 is vulnerable to a buffer overflow when processing a specially crafted .m3u playlist file. The application fails to properly validate input length, allowing an attacker to overwrite structured exception handler (SEH) records and execute arbitrary…
- risk 0.57cvss 8.8epss 0.01
A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation of the argument data leads to format string. The attack may be launched remotely.…