CWE-134
Use of Externally-Controlled Format String
BaseDraftLikelihood: High
Description
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-135 · CAPEC-67
CVEs mapped to this weakness (204)
page 2 of 11| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-9212 | Hig | 0.49 | 7.5 | 0.00 | May 23, 2017 | The Bluetooth stack on the BMW 330i 2011 allows a remote crash of the CD/Multimedia software via %x or %c format string specifiers in a device name. | |
| CVE-2016-4864 | Hig | 0.49 | 7.5 | 0.02 | May 12, 2017 | H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format string specifiers in a template file via fastcgi, mruby, proxy, redirect or reproxy. | |
| CVE-2017-3859 | Hig | 0.49 | 7.5 | 0.00 | Mar 22, 2017 | A vulnerability in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a format string vulnerability when processing a crafted DHCP packet for Zero Touch Provisioning. An attacker could exploit this vulnerability by sending a specially crafted DHCP packet to an affected device. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco ASR 920 Series Aggregation Services Routers that are running an affected release of Cisco IOS XE Software (3.13 through 3.18) and are listening on the DHCP server port. By default, the devices do not listen on the DHCP server port. Cisco Bug IDs: CSCuy56385. | |
| CVE-2025-24359 | Hig | 0.48 | 8.4 | 0.00 | Jan 24, 2025 | ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue. | |
| CVE-2024-31837 | Hig | 0.48 | 8.4 | 0.00 | Apr 30, 2024 | DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-string vulnerability, with a threat model similar to CVE-2017-7938. | |
| CVE-2024-12805 | Hig | 0.47 | 7.2 | 0.01 | Jan 9, 2025 | A post-authentication format string vulnerability in SonicOS management allows a remote attacker to crash a firewall and potentially leads to code execution. | |
| CVE-2025-64157 | Med | 0.44 | 6.7 | 0.00 | Feb 10, 2026 | A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or commands via specifically crafted configuration. | |
| CVE-2026-3008 | Med | 0.43 | 6.6 | 0.00 | Apr 27, 2026 | Successful exploitation of the string injection vulnerability could allow an attacker to obtain memory address information or crash the application. | |
| CVE-2017-16516 | Hig | 0.42 | 7.5 | 0.02 | Nov 3, 2017 | In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service. | |
| CVE-2016-1895 | Med | 0.42 | 6.5 | 0.01 | Sep 1, 2017 | NetApp Data ONTAP before 8.2.5 and 8.3.x before 8.3.2P12 allow remote authenticated users to cause a denial of service via vectors related to unsafe user input string handling. | |
| CVE-2024-23914 | Med | 0.37 | 5.7 | 0.00 | May 3, 2024 | Use of Externally-Controlled Format String vulnerability in Merge DICOM Toolkit C/C++ on Windows. When MC_Open_Association() function is used to open DICOM Association and gets DICOM Application Context Name with illegal characters, it might result in an unhandled exception. | |
| CVE-2026-6843 | Med | 0.36 | 5.5 | 0.00 | Apr 22, 2026 | A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This results in a Denial of Service (DoS) for the `nano` application. | |
| CVE-2024-55156 | Med | 0.36 | 5.5 | 0.00 | Feb 21, 2025 | An XML External Entity (XXE) vulnerability in the deserializeArgs() method of Java SDK for CloudEvents v4.0.1 allows attackers to access sensitive information via supplying a crafted XML-formatted event message. | |
| CVE-2015-2894 | Med | 0.35 | 5.3 | 0.01 | Dec 31, 2015 | Format string vulnerability in the up.time client in Idera Uptime Infrastructure Monitor 6.0 and 7.2 allows remote attackers to cause a denial of service (application crash) via format string specifiers. | |
| CVE-2026-44407 | Med | 0.31 | 4.7 | 0.00 | May 7, 2026 | A remote denial-of-service vulnerability exists in the ZTE Cloud PC client uSmartview, which may lead to memory corruption and remote denial of service. | |
| CVE-2026-6539 | Med | 0.29 | 4.4 | 0.00 | Apr 30, 2026 | Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through community channels that triggers format string interpretation when a user performs search operations, leading to access violations and potential leakage of stack or register contents. | |
| CVE-2026-6474 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. | |
| CVE-2017-5524 | Med | 0.21 | 4.3 | 0.00 | Mar 23, 2017 | Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method. | |
| CVE-2014-1683 | 0.09 | — | 0.78 | Jan 29, 2014 | The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or (4) message parameter to index.php. | ||
| CVE-2012-3569 | 0.09 | — | 0.81 | Nov 14, 2012 | Format string vulnerability in VMware OVF Tool 2.1 on Windows, as used in VMware Workstation 8.x before 8.0.5, VMware Player 4.x before 4.0.5, and other products, allows user-assisted remote attackers to execute arbitrary code via a crafted OVF file. |