VYPR

CWE-134

Use of Externally-Controlled Format String

BaseDraftLikelihood: High

Description

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-135 · CAPEC-67

CVEs mapped to this weakness (252)

page 1 of 13
  • CVE-2012-10055CriAug 13, 2025
    risk 0.69cvss epss 0.02

    ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically…

  • CVE-2018-6317CriFeb 2, 2018
    risk 0.66cvss 9.1epss 0.44

    The remote management interface in Claymore Dual Miner 10.5 and earlier is vulnerable to an unauthenticated format string vulnerability, allowing remote attackers to read memory or cause a denial of service.

  • CVE-2026-50211CriJun 4, 2026
    risk 0.64cvss 9.8epss 0.00

    Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers.

  • CVE-2018-0175HigKEVMar 28, 2018
    risk 0.64cvss 8.0epss 0.04

    Format String vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with…

  • CVE-2017-17407CriJan 23, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager v7.2.699 build 1001. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the content…

  • CVE-2017-16608CriJan 23, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within exec.jsp. The issue results from the lack of proper…

  • CVE-2017-12588CriAug 6, 2017
    risk 0.64cvss 9.8epss 0.03

    The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.

  • CVE-2017-10685CriJun 29, 2017
    risk 0.64cvss 9.8epss 0.04

    In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.

  • CVE-2016-5074CriApr 10, 2017
    risk 0.64cvss 9.8epss 0.01

    CloudView NMS before 2.10a has a format string issue exploitable over SNMP.

  • CVE-2015-7271CriApr 10, 2017
    risk 0.64cvss 9.8epss 0.03

    Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has a format string issue in racadm getsystinfo.

  • CVE-2016-4448CriJun 9, 2016
    risk 0.64cvss 9.8epss 0.07

    Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors.

  • CVE-2011-10029HigAug 20, 2025
    risk 0.63cvss epss 0.01

    Solar FTP Server fails to properly handle format strings passed to the USER command. When a specially crafted string containing format specifiers is sent, the server crashes due to a read access violation in the __output_1() function of sfsservice.exe. This results in a denial…

  • CVE-2018-5704CriJan 16, 2018
    risk 0.63cvss 9.6epss 0.05

    Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote attackers to conduct cross-protocol scripting attacks, and consequently execute arbitrary commands, via a crafted web site.

  • CVE-2015-8617CriJan 19, 2016
    risk 0.62cvss 9.8epss 0.24

    Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.

  • CVE-2024-9129CriOct 22, 2024
    risk 0.60cvss epss 0.00

    In versions of Zend Server 8.5 and prior to version 9.2 a format string injection was discovered. Reported by Dylan Marino

  • CVE-2017-0898CriSep 15, 2017
    risk 0.60cvss 9.1epss 0.10

    Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.

  • CVE-2024-35845CriMay 17, 2024
    risk 0.59cvss 9.1epss 0.01

    In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dbg-tlv: ensure NUL termination The iwl_fw_ini_debug_info_tlv is used as a string, so we must ensure the string is terminated correctly before using it.

  • CVE-2018-7544CriMar 16, 2018
    risk 0.59cvss 9.1epss 0.02

    A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands,…

  • CVE-2010-10017HigAug 30, 2025
    risk 0.58cvss epss 0.00

    WM Downloader version 3.1.2.2 is vulnerable to a buffer overflow when processing a specially crafted .m3u playlist file. The application fails to properly validate input length, allowing an attacker to overwrite structured exception handler (SEH) records and execute arbitrary…

  • CVE-2026-12174HigJun 13, 2026
    risk 0.57cvss 8.8epss 0.01

    A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation of the argument data leads to format string. The attack may be launched remotely.…