VYPR

CWE-134

Use of Externally-Controlled Format String

BaseDraftLikelihood: High

Description

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-135 · CAPEC-67

CVEs mapped to this weakness (252)

page 3 of 13
  • CVE-2016-4864HigMay 12, 2017
    risk 0.49cvss 7.5epss 0.02

    H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format string specifiers in a template file via fastcgi, mruby, proxy, redirect or reproxy.

  • CVE-2017-3859HigMar 22, 2017
    risk 0.49cvss 7.5epss 0.02

    A vulnerability in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a format string vulnerability when…

  • CVE-2025-24359HigJan 24, 2025
    risk 0.48cvss 8.4epss 0.00

    ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The…

  • CVE-2024-31837HigApr 30, 2024
    risk 0.48cvss 8.4epss 0.00

    DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-string vulnerability, with a threat model similar to CVE-2017-7938.

  • CVE-2025-68648HigMar 10, 2026
    risk 0.47cvss 7.2epss 0.01

    A use of externally-controlled format string vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.2, FortiAnalyzer Cloud 7.4.1 through 7.4.7,…

  • CVE-2024-12805HigJan 9, 2025
    risk 0.47cvss 7.2epss 0.01

    A post-authentication format string vulnerability in SonicOS management allows a remote attacker to crash a firewall and potentially leads to code execution.

  • CVE-2018-12590HigJun 20, 2018
    risk 0.47cvss 7.2epss 0.02

    Ubiquiti Networks EdgeSwitch version 1.7.3 and prior suffer from an externally controlled format-string vulnerability due to lack of protection on the admin CLI, leading to code execution and privilege escalation greater than administrators themselves are allowed. An attacker…

  • CVE-2026-10828MedJun 16, 2026
    risk 0.45cvss epss 0.00

    A format string vulnerability has been found in the "alias" parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior. This vulnerability stems from insufficient input validation and improper handling of externally supplied…

  • CVE-2026-6242MedJun 6, 2026
    risk 0.44cvss epss 0.00

    An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or…

  • CVE-2026-6241MedJun 6, 2026
    risk 0.44cvss epss 0.00

    An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to…

  • CVE-2025-64157MedFeb 10, 2026
    risk 0.44cvss 6.7epss 0.01

    A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or commands via specifically crafted…

  • CVE-2023-45583MedMay 14, 2024
    risk 0.44cvss 6.7epss 0.01

    A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiOS 6.2 all versions, FortiOS 6.0.0 through 6.0.16, FortiPAM 1.1.0, FortiPAM 1.0 all versions, FortiProxy…

  • CVE-2023-36640MedMay 14, 2024
    risk 0.44cvss 6.7epss 0.00

    A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiOS 6.2 all versions, FortiOS 6.0.0 through 6.0.16, FortiPAM 1.1.0, FortiPAM 1.0 all versions, FortiProxy…

  • CVE-2026-3008MedApr 27, 2026
    risk 0.43cvss 6.6epss 0.00

    Successful exploitation of the string injection vulnerability could allow an attacker to obtain memory address information or crash the application.

  • CVE-2017-16516HigNov 3, 2017
    risk 0.42cvss 7.5epss 0.04

    In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of…

  • CVE-2016-1895MedSep 1, 2017
    risk 0.42cvss 6.5epss 0.01

    NetApp Data ONTAP before 8.2.5 and 8.3.x before 8.3.2P12 allow remote authenticated users to cause a denial of service via vectors related to unsafe user input string handling.

  • CVE-2025-10262MedJun 16, 2026
    risk 0.41cvss 6.3epss 0.00

    Nokia SR Linux is vulnerable to local privilege escalation vulnerability due to unsanitized format validation. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privileges.

  • CVE-2024-23914MedMay 3, 2024
    risk 0.37cvss 5.7epss 0.00

    Use of Externally-Controlled Format String vulnerability in Merge DICOM Toolkit C/C++ on Windows. When MC_Open_Association() function is used to open DICOM Association and gets DICOM Application Context Name with illegal characters, it might result in an unhandled exception.

  • CVE-2026-6843MedApr 22, 2026
    risk 0.36cvss 5.5epss 0.00

    A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This…

  • CVE-2024-55156MedFeb 21, 2025
    risk 0.36cvss 5.5epss 0.00

    An XML External Entity (XXE) vulnerability in the deserializeArgs() method of Java SDK for CloudEvents v4.0.1 allows attackers to access sensitive information via supplying a crafted XML-formatted event message.