CWE-134
Use of Externally-Controlled Format String
Description
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-135 · CAPEC-67
CVEs mapped to this weakness (252)
page 4 of 13| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-15749 | Med | 0.36 | 5.5 | 0.00 | Sep 6, 2018 | The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Format String Vulnerability. | ||
| CVE-2017-17132 | Med | 0.36 | 5.5 | 0.00 | Mar 5, 2018 | Huawei VP9660 V500R002C10 has a uncontrolled format string vulnerability when the license module output the log information. An authenticated local attacker could exploit this vulnerability to cause a denial of service. | ||
| CVE-2015-2894 | Med | 0.35 | 5.3 | 0.01 | Dec 31, 2015 | Format string vulnerability in the up.time client in Idera Uptime Infrastructure Monitor 6.0 and 7.2 allows remote attackers to cause a denial of service (application crash) via format string specifiers. | ||
| CVE-2026-44407 | Med | 0.31 | 4.7 | 0.00 | May 7, 2026 | A remote denial-of-service vulnerability exists in the ZTE Cloud PC client uSmartview, which may lead to memory corruption and remote denial of service. | ||
| CVE-2026-6539 | Med | 0.29 | 4.4 | 0.00 | Apr 30, 2026 | Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language… | ||
| CVE-2015-9238 | — | Med | 0.28 | 5.3 | 0.01 | May 31, 2018 | secure-compare 3.0.0 and below do not actually compare two strings properly. compare was actually comparing the first argument with itself, meaning the check passed for any two strings of the same length. | |
| CVE-2018-14799 | Low | 0.24 | 3.7 | 0.01 | Aug 22, 2018 | In Philips PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs, all versions prior to May 2018, the PageWriter device does not sanitize data entered by user. This can lead to buffer overflow or format string vulnerabilities. | ||
| CVE-2026-6474 | Med | 0.21 | 4.3 | 0.00 | May 14, 2026 | Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. | ||
| CVE-2017-5524 | Med | 0.21 | 4.3 | 0.01 | Mar 23, 2017 | Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method. | ||
| CVE-2017-7519 | — | Low | 0.15 | 2.3 | 0.01 | Jul 27, 2018 | In Ceph, a format string flaw was found in the way libradosstriper parses input from user. A user could crash an application or service using the libradosstriper library. | |
| CVE-2026-7835 | Low | 0.13 | 3.1 | 0.00 | May 21, 2026 | A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string processing. | ||
| CVE-2012-3569 | 0.07 | — | 0.48 | Nov 14, 2012 | Format string vulnerability in VMware OVF Tool 2.1 on Windows, as used in VMware Workstation 8.x before 8.0.5, VMware Player 4.x before 4.0.5, and other products, allows user-assisted remote attackers to execute arbitrary code via a crafted OVF file. | |||
| CVE-2014-1683 | 0.06 | — | 0.31 | Jan 29, 2014 | The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or… | |||
| CVE-2012-2288 | 0.06 | — | 0.33 | Sep 4, 2012 | Format string vulnerability in the nsrd RPC service in EMC NetWorker 7.6.3 and 7.6.4 before 7.6.4.1, and 8.0 before 8.0.0.1, allows remote attackers to execute arbitrary code via format string specifiers in a message. | |||
| CVE-2009-4769 | 0.06 | — | 0.38 | Apr 20, 2010 | Multiple format string vulnerabilities in the tolog function in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 allow (1) remote attackers to execute arbitrary code via format string specifiers in a GET request to the HTTP server component when logging is enabled, and allow (2) remote… | |||
| CVE-2012-1851 | 0.05 | — | 0.66 | Aug 15, 2012 | Format string vulnerability in the Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted response,… | |||
| CVE-2011-1568 | 0.05 | — | 0.19 | Apr 5, 2011 | Format string vulnerability in the logText function in shmemmgr9.dll in IGSSdataServer.exe 9.00.00.11074, and 9.00.00.11063 and earlier, in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to cause a denial of service and possibly execute… | |||
| CVE-2010-1039 | 0.05 | — | 0.20 | May 20, 2010 | Format string vulnerability in the _msgout function in rpc.pcnfsd in IBM AIX 6.1, 5.3, and earlier; IBM VIOS 2.1, 1.5, and earlier; NFS/ONCplus B.11.31_09 and earlier on HP HP-UX B.11.11, B.11.23, and B.11.31; and SGI IRIX 6.5 allows remote attackers to execute arbitrary code… | |||
| CVE-2008-3533 | 0.05 | — | 0.19 | Aug 18, 2008 | Format string vulnerability in the window_error function in yelp-window.c in yelp in Gnome after 2.19.90 and before 2.24 allows remote attackers to execute arbitrary code via format string specifiers in an invalid URI on the command line, as demonstrated by use of yelp within… | |||
| CVE-2006-3469 | 0.05 | — | 0.27 | Jul 21, 2006 | Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later… |
- risk 0.36cvss 5.5epss 0.00
The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Format String Vulnerability.
- risk 0.36cvss 5.5epss 0.00
Huawei VP9660 V500R002C10 has a uncontrolled format string vulnerability when the license module output the log information. An authenticated local attacker could exploit this vulnerability to cause a denial of service.
- risk 0.35cvss 5.3epss 0.01
Format string vulnerability in the up.time client in Idera Uptime Infrastructure Monitor 6.0 and 7.2 allows remote attackers to cause a denial of service (application crash) via format string specifiers.
- risk 0.31cvss 4.7epss 0.00
A remote denial-of-service vulnerability exists in the ZTE Cloud PC client uSmartview, which may lead to memory corruption and remote denial of service.
- risk 0.29cvss 4.4epss 0.00
Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language…
- risk 0.28cvss 5.3epss 0.01
secure-compare 3.0.0 and below do not actually compare two strings properly. compare was actually comparing the first argument with itself, meaning the check passed for any two strings of the same length.
- risk 0.24cvss 3.7epss 0.01
In Philips PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs, all versions prior to May 2018, the PageWriter device does not sanitize data entered by user. This can lead to buffer overflow or format string vulnerabilities.
- risk 0.21cvss 4.3epss 0.00
Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
- risk 0.21cvss 4.3epss 0.01
Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.
- risk 0.15cvss 2.3epss 0.01
In Ceph, a format string flaw was found in the way libradosstriper parses input from user. A user could crash an application or service using the libradosstriper library.
- risk 0.13cvss 3.1epss 0.00
A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string processing.
- CVE-2012-3569Nov 14, 2012risk 0.07cvss —epss 0.48
Format string vulnerability in VMware OVF Tool 2.1 on Windows, as used in VMware Workstation 8.x before 8.0.5, VMware Player 4.x before 4.0.5, and other products, allows user-assisted remote attackers to execute arbitrary code via a crafted OVF file.
- CVE-2014-1683Jan 29, 2014risk 0.06cvss —epss 0.31
The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or…
- CVE-2012-2288Sep 4, 2012risk 0.06cvss —epss 0.33
Format string vulnerability in the nsrd RPC service in EMC NetWorker 7.6.3 and 7.6.4 before 7.6.4.1, and 8.0 before 8.0.0.1, allows remote attackers to execute arbitrary code via format string specifiers in a message.
- CVE-2009-4769Apr 20, 2010risk 0.06cvss —epss 0.38
Multiple format string vulnerabilities in the tolog function in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 allow (1) remote attackers to execute arbitrary code via format string specifiers in a GET request to the HTTP server component when logging is enabled, and allow (2) remote…
- CVE-2012-1851Aug 15, 2012risk 0.05cvss —epss 0.66
Format string vulnerability in the Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted response,…
- CVE-2011-1568Apr 5, 2011risk 0.05cvss —epss 0.19
Format string vulnerability in the logText function in shmemmgr9.dll in IGSSdataServer.exe 9.00.00.11074, and 9.00.00.11063 and earlier, in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to cause a denial of service and possibly execute…
- CVE-2010-1039May 20, 2010risk 0.05cvss —epss 0.20
Format string vulnerability in the _msgout function in rpc.pcnfsd in IBM AIX 6.1, 5.3, and earlier; IBM VIOS 2.1, 1.5, and earlier; NFS/ONCplus B.11.31_09 and earlier on HP HP-UX B.11.11, B.11.23, and B.11.31; and SGI IRIX 6.5 allows remote attackers to execute arbitrary code…
- CVE-2008-3533Aug 18, 2008risk 0.05cvss —epss 0.19
Format string vulnerability in the window_error function in yelp-window.c in yelp in Gnome after 2.19.90 and before 2.24 allows remote attackers to execute arbitrary code via format string specifiers in an invalid URI on the command line, as demonstrated by use of yelp within…
- CVE-2006-3469Jul 21, 2006risk 0.05cvss —epss 0.27
Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006 allows remote authenticated users to cause a denial of service (crash) via a format string instead of a date as the first parameter to the date_format function, which is later…