Common Weakness Enumeration

CWE-134

Allowed

Use of Externally-Controlled Format String

Abstraction: Base · Status: Draft

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

501 vulnerabilities reference this CWE, most recent first.

GHSA-39C6-RP26-J8W8

Vulnerability from github – Published: 2022-05-01 17:45 – Updated: 2022-05-01 17:45
VLAI
Details

Format string vulnerability in iMovie HD 6.0.3, and Safari in Apple Mac OS X 10.4 through 10.4.10, allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in a filename, which is not properly handled when calling the NSRunCriticalAlertPanel Apple AppKit function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-0646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-02-01T00:28:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in iMovie HD 6.0.3, and Safari in Apple Mac OS X 10.4 through 10.4.10, allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in a filename, which is not properly handled when calling the NSRunCriticalAlertPanel Apple AppKit function.",
  "id": "GHSA-39c6-rp26-j8w8",
  "modified": "2022-05-01T17:45:53Z",
  "published": "2022-05-01T17:45:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-0646"
    },
    {
      "type": "WEB",
      "url": "http://docs.info.apple.com/article.html?artnum=305391"
    },
    {
      "type": "WEB",
      "url": "http://docs.info.apple.com/article.html?artnum=307041"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/Security-announce/2007/Apr/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2007/Nov/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/24966"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27643"
    },
    {
      "type": "WEB",
      "url": "http://www.digitalmunition.com/MOAB-30-01-2007.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/22326"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/26444"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA07-109A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA07-319A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/1470"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/3868"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3C47-P88C-P6Q6

Vulnerability from github – Published: 2022-05-17 02:50 – Updated: 2022-05-17 02:50
VLAI
Details

Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has a format string issue in racadm getsystinfo.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-7271"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-10T03:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has a format string issue in racadm getsystinfo.",
  "id": "GHSA-3c47-p88c-p6q6",
  "modified": "2022-05-17T02:50:18Z",
  "published": "2022-05-17T02:50:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7271"
    },
    {
      "type": "WEB",
      "url": "http://en.community.dell.com/techcenter/extras/m/white_papers/20441859"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97561"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CG3-WJRX-V9JW

Vulnerability from github – Published: 2022-05-17 05:51 – Updated: 2022-05-17 05:51
VLAI
Details

Multiple format string vulnerabilities in White_Dune before 0.29beta851 have unspecified impact and attack vectors, a different vulnerability than CVE-2008-0101.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-7228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-09-14T14:30:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple format string vulnerabilities in White_Dune before 0.29beta851 have unspecified impact and attack vectors, a different vulnerability than CVE-2008-0101.",
  "id": "GHSA-3cg3-wjrx-v9jw",
  "modified": "2022-05-17T05:51:54Z",
  "published": "2022-05-17T05:51:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-7228"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/apps/freshmeat/2008-02/0005.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/42677"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3FF2-4V74-VHQ8

Vulnerability from github – Published: 2026-06-26 09:30 – Updated: 2026-06-26 09:30
VLAI
Details

An unauthenticated format string vulnerability exists in vlsvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper handling of externally controlled input during log message formatting in the login processing path. A remote attacker may exploit this vulnerability by sending crafted login data, potentially causing information disclosure, memory corruption, or a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T08:16:24Z",
    "severity": "HIGH"
  },
  "details": "An unauthenticated\nformat string vulnerability exists in vlsvr in GeoVision GV-LPC2011 and\nGV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper handling\nof externally controlled input during log message formatting in the login\nprocessing path. A remote attacker may exploit this vulnerability by sending\ncrafted login data, potentially causing information disclosure, memory\ncorruption, or a denial of service.",
  "id": "GHSA-3ff2-4v74-vhq8",
  "modified": "2026-06-26T09:30:47Z",
  "published": "2026-06-26T09:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57877"
    },
    {
      "type": "WEB",
      "url": "https://www.geovision.com.tw/cyber_security.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3H7Q-H379-G658

Vulnerability from github – Published: 2022-05-17 01:48 – Updated: 2022-05-17 01:48
VLAI
Details

Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML (aka YAML-LibYAML and perl-YAML-LibYAML) module 0.38 for Perl allow remote attackers to cause a denial of service (process crash) via format string specifiers in a (1) YAML stream to the Load function, (2) YAML node to the load_node function, (3) YAML mapping to the load_mapping function, or (4) YAML sequence to the load_sequence function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-1152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-09-09T21:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML (aka YAML-LibYAML and perl-YAML-LibYAML) module 0.38 for Perl allow remote attackers to cause a denial of service (process crash) via format string specifiers in a (1) YAML stream to the Load function, (2) YAML node to the load_node function, (3) YAML mapping to the load_mapping function, or (4) YAML sequence to the load_sequence function.",
  "id": "GHSA-3h7q-h379-g658",
  "modified": "2022-05-17T01:48:46Z",
  "published": "2022-05-17T01:48:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1152"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=801738"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73856"
    },
    {
      "type": "WEB",
      "url": "https://rt.cpan.org/Public/Bug/Display.html?id=46507"
    },
    {
      "type": "WEB",
      "url": "https://rt.cpan.org/Public/Bug/Display.html?id=75365"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661548"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077023.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077782.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2012-08/msg00029.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00078.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48317"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50277"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2012/dsa-2432"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/03/09/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/03/10/4"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/52381"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3JCJ-M65J-R72C

Vulnerability from github – Published: 2022-05-02 06:19 – Updated: 2022-05-02 06:19
VLAI
Details

Format string vulnerability in vmrun in VMware VIX API 1.6.x, VMware Workstation 6.5.x before 6.5.4 build 246459, VMware Player 2.5.x before 2.5.4 build 246459, and VMware Server 2.x on Linux, and VMware Fusion 2.x before 2.0.7 build 246742, allows local users to gain privileges via format string specifiers in process metadata.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-1139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-04-12T18:30:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in vmrun in VMware VIX API 1.6.x, VMware Workstation 6.5.x before 6.5.4 build 246459, VMware Player 2.5.x before 2.5.4 build 246459, and VMware Server 2.x on Linux, and VMware Fusion 2.x before 2.0.7 build 246742, allows local users to gain privileges via format string specifiers in process metadata.",
  "id": "GHSA-3jcj-m65j-r72c",
  "modified": "2022-05-02T06:19:17Z",
  "published": "2022-05-02T06:19:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1139"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2010-04/0077.html"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0121.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.vmware.com/pipermail/security-announce/2010/000090.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/63606"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/39201"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/39206"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/39215"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-201209-25.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/39407"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1023835"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2010-0007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3M6G-2423-7CP3

Vulnerability from github – Published: 2026-03-19 12:45 – Updated: 2026-03-25 18:24
VLAI
Summary
Ruby JSON has a format string injection vulnerability
Details

Impact

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.18.0"
            },
            {
              "fixed": "2.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.16.0"
            },
            {
              "fixed": "2.17.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.14.0"
            },
            {
              "fixed": "2.15.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33210"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T12:45:53Z",
    "nvd_published_at": "2026-03-20T23:16:46Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the `allow_duplicate_key: false` parsing option is used to parse user supplied documents. \n\nThis option isn\u0027t the default, if you didn\u0027t opt-in to use it, you are not impacted.\n\n### Patches\n\nPatched in `2.19.2`.\n\n### Workarounds\n\nThe issue can be avoided by not using the `allow_duplicate_key: false` parsing option.",
  "id": "GHSA-3m6g-2423-7cp3",
  "modified": "2026-03-25T18:24:34Z",
  "published": "2026-03-19T12:45:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33210"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/json"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ruby JSON has a format string injection vulnerability"
}

GHSA-3MF2-J3P3-W43Q

Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2022-05-14 00:56
VLAI
Details

The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-09T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node.",
  "id": "GHSA-3mf2-j3p3-w43q",
  "modified": "2022-05-14T00:56:54Z",
  "published": "2022-05-14T00:56:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5716"
    },
    {
      "type": "WEB",
      "url": "https://puppet.com/security/cve/pe-console-oct-2016"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3Q93-28V9-5X6V

Vulnerability from github – Published: 2026-02-24 15:30 – Updated: 2026-02-24 18:31
VLAI
Details

A post-authentication Format String vulnerability in SonicOS allows a remote attacker to crash a firewall.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-24T15:21:37Z",
    "severity": "MODERATE"
  },
  "details": "A post-authentication Format String vulnerability in SonicOS allows a remote attacker to crash a firewall.",
  "id": "GHSA-3q93-28v9-5x6v",
  "modified": "2026-02-24T18:31:02Z",
  "published": "2026-02-24T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0400"
    },
    {
      "type": "WEB",
      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3QPW-MPRX-XFRV

Vulnerability from github – Published: 2022-05-01 06:38 – Updated: 2022-05-01 06:38
VLAI
Details

Format string vulnerability in the error-reporting feature in the mysqli extension in PHP 5.1.0 and 5.1.1 might allow remote attackers to execute arbitrary code via format string specifiers in MySQL error messages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-0200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-01-13T23:03:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the error-reporting feature in the mysqli extension in PHP 5.1.0 and 5.1.1 might allow remote attackers to execute arbitrary code via format string specifiers in MySQL error messages.",
  "id": "GHSA-3qpw-mprx-xfrv",
  "modified": "2022-05-01T06:38:00Z",
  "published": "2022-05-01T06:38:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-0200"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24095"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/18431"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/337"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1015485"
    },
    {
      "type": "WEB",
      "url": "http://www.hardened-php.net/advisory_022006.113.html"
    },
    {
      "type": "WEB",
      "url": "http://www.php.net/release_5_1_2.php"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/421705/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/16219"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/0177"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/0369"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Requirements

Choose a language that is not subject to this flaw.

Mitigation
Implementation

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Mitigation
Build and Compilation

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CAPEC-135: Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

CAPEC-67: String Format Overflow in syslog()

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.