CWE-134— Use of Externally-Controlled Format String
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.— MITRE CWE catalog
364 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-134page 7 of 8
- CVE-2023-48221HIGHCVSS 8.8EG 7.32023-11-20
wire-avs provides Audio, Visual, and Signaling (AVS) functionality sure the secure messaging software Wire. Prior to versions 9.2.22 and 9.3.5, a remote format string vulnerability could potentially allow an attacker to cause a denial of s…
- CVE-2023-48784MEDIUMCVSS 6.7EG 6.72024-04-09
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.1 and below, version 7.2.7 and below, 7.0 all versions, 6.4 all versions command line interface may allow a local privileged attacker with super-…
- CVE-2023-53966CRITICALCVSS 9.8EG 9.82025-12-22
SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted environment variables. Attackers can manipulate the username environment varia…
- CVE-2023-5746CRITICALCVSS 9.8EG 9.82023-10-25
A vulnerability regarding use of externally-controlled format string is found in the cgi component. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions…
- CVE-2023-6399MEDIUMCVSS 5.7EG 5.72024-02-20
A format string vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, U…
- CVE-2023-6764HIGHCVSS 8.1EG 8.12024-02-20
A format string vulnerability in a function of the IPSec VPN feature in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series …
- CVE-2024-12805HIGHCVSS 7.2EG 9.82025-01-09
A post-authentication format string vulnerability in SonicOS management allows a remote attacker to crash a firewall and potentially leads to code execution.
- CVE-2024-23113CRITICALCVSS 9.8EG 9.8⚠ KEV2024-02-15
A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions…
- CVE-2024-23914MEDIUMCVSS 5.7EG 5.72024-05-03
Use of Externally-Controlled Format String vulnerability in Merge DICOM Toolkit C/C++ on Windows. When MC_Open_Association() function is used to open DICOM Association and gets DICOM Application Context Name with illegal characters, it mi…
- CVE-2024-31837HIGHCVSS 8.4EG 8.42024-04-30
DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-string vulnerability, with a threat model similar to CVE-2017-7938.
- CVE-2024-35845CRITICALCVSS 9.1EG 9.12024-05-17
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dbg-tlv: ensure NUL termination The iwl_fw_ini_debug_info_tlv is used as a string, so we must ensure the string is terminated correctly before using it.
- CVE-2024-39529HIGHCVSS 7.5EG 7.52024-07-11
A Use of Externally-Controlled Format String vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If DNS Do…
- CVE-2024-42330CRITICALCVSS 9.1EG 9.12024-11-27
The HttpRequest object allows to get the HTTP headers from the server's response after sending the request. The problem is that the returned strings are created directly from the data returned by the server and are not correctly encoded fo…
- CVE-2024-45324HIGHCVSS 7.2EG 7.22025-03-11
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version 7.0.0 through 7.0.15 and before 6.4.15, FortiProxy version 7.4.0 through 7.4.6, version 7.2.0…
- CVE-2024-45330HIGHCVSS 7.2EG 7.22024-10-08
A use of externally-controlled format string in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.2 through 7.2.5 allows attacker to escalate its privileges via specially crafted requests.
- CVE-2024-4641MEDIUMCVSS 6.3EG 6.32024-06-25
OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to accepting a format string from an external source as an argument. An attacker could modify an externally controlled format string to caus…
- CVE-2024-50396HIGHCVSS 8.8EG 8.82024-11-22
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to obtain secret data or modify memory. We have al…
- CVE-2024-50397HIGHCVSS 8.8EG 8.82024-11-22
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to obtain secret data o…
- CVE-2024-50398HIGHCVSS 7.2EG 7.22024-11-22
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secr…
- CVE-2024-50399HIGHCVSS 7.2EG 7.22024-11-22
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secr…
- CVE-2024-50400HIGHCVSS 7.2EG 7.22024-11-22
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secr…
- CVE-2024-50401HIGHCVSS 7.2EG 7.22024-11-22
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secr…
- CVE-2024-50402HIGHCVSS 7.2EG 7.22024-12-06
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secr…
- CVE-2024-50403HIGHCVSS 7.2EG 7.22024-12-06
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secr…
- CVE-2024-55156MEDIUMCVSS 5.5EG 5.52025-02-21
An XML External Entity (XXE) vulnerability in the deserializeArgs() method of Java SDK for CloudEvents v4.0.1 allows attackers to access sensitive information via supplying a crafted XML-formatted event message.
- CVE-2024-6145HIGHCVSS 8.8EG 8.82024-06-19
Actiontec WCB6200Q Cookie Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Actiontec WCB6200Q routers. Authentication is not requ…
- CVE-2024-9129CRITICALCVSS 9.3EG 9.32024-10-22
In versions of Zend Server 8.5 and prior to version 9.2 a format string injection was discovered. Reported by Dylan Marino
- CVE-2025-10262MEDIUMCVSS 6.3EG 6.32026-06-16
Nokia SR Linux is vulnerable to local privilege escalation vulnerability due to unsanitized format validation. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privi…
- CVE-2025-22482HIGHCVSS 8.1EG 8.12025-06-06
A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to obtain secret data or modify memory. We have…
- CVE-2025-24359HIGHCVSS 8.4EG 8.42025-01-24
ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of…
- CVE-2025-30269HIGHCVSS 8.1EG 8.12026-02-11
A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data or modify memory. We have alrea…
- CVE-2025-36202HIGHCVSS 7.5EG 7.52025-09-22
IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external sou…
- CVE-2025-40600CRITICALCVSS 9.8EG 9.82025-07-29
Use of Externally-Controlled Format String vulnerability in the SonicOS SSL VPN interface allows a remote unauthenticated attacker to cause service disruption.
- CVE-2025-46121CRITICALCVSS 9.8EG 7.22025-07-21
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the for…
- CVE-2025-46123HIGHCVSS 7.2EG 7.22025-07-21
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where the authenticated configuration endpoint `/admin/_conf.jsp` writes the Wi-Fi guest p…
- CVE-2025-48388MEDIUMCVSS 6.5EG 6.52025-05-29
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, the application performs insufficient validation of user-supplied data, which is used as arguments to string formatting functions. As a result, an atta…
- CVE-2025-48730MEDIUMCVSS 6.5EG 6.52025-10-03
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret da…
- CVE-2025-48826HIGHCVSS 8.8EG 8.82025-10-07
A format string vulnerability exists in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to memory corruption. An attacker can send a series of HTTP requests to trigger th…
- CVE-2025-52429MEDIUMCVSS 6.5EG 6.52025-10-03
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret da…
- CVE-2025-52666LOWCVSS 2.7EG 2.72025-11-20
Improper neutralisation of format characters in the settings of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an administrator user to disable the admin user console due to a fatal PHP error.
- CVE-2025-53406MEDIUMCVSS 6.5EG 6.52025-10-03
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret da…
- CVE-2025-53407MEDIUMCVSS 6.5EG 6.52025-10-03
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret da…
- CVE-2025-53591MEDIUMCVSS 6.5EG 6.52026-01-02
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret da…
- CVE-2025-55298HIGHCVSS 7.5EG 7.52025-08-26
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user inpu…
- CVE-2025-64157MEDIUMCVSS 6.7EG 6.72026-02-10
A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized c…
- CVE-2025-68648HIGHCVSS 7.2EG 7.22026-03-10
A use of externally-controlled format string vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.2, FortiAn…
- CVE-2025-68949MEDIUMCVSS 5.3EG 5.32026-01-13
n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accep…
- CVE-2026-10828MEDIUMCVSS 6.9EG 6.92026-06-16
A format string vulnerability has been found in the "alias" parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior. This vulnerability stems from insufficient input validation and imp…
- CVE-2026-12174HIGHCVSS 8.8EG 8.82026-06-13
A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation of the argument data leads to format stri…
- CVE-2026-21640LOWCVSS 2.7EG 2.72026-01-20
HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fata…
Map vulnerabilities like CWE-134 to your infrastructure
EchelonGraph correlates every CVE — across CWE-134 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →