Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-134 (使用外部控制的格式字符串) — Vulnerability Class 112

112 vulnerabilities classified as CWE-134 (使用外部控制的格式字符串). AI Chinese analysis included.

CWE-134 represents a critical input validation weakness where software utilizes functions accepting format strings, such as printf, with data originating from an untrusted external source. Attackers typically exploit this vulnerability by injecting malicious format specifiers, like %x or %n, into the input stream. This manipulation allows them to read sensitive memory contents, causing denial of service, or write arbitrary data to memory, potentially leading to remote code execution and full system compromise. To mitigate this risk, developers must strictly avoid passing user-controlled data directly as the format string argument. Instead, they should use literal format strings and pass user input as subsequent arguments. Additionally, implementing rigorous input validation and employing static analysis tools can help detect these dangerous patterns early in the development lifecycle, ensuring that external data is never interpreted as executable code logic.

MITRE CWE Description
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Common Consequences (2)
ConfidentialityRead Memory
Format string problems allow for information disclosure which can severely simplify exploitation of the program.
Integrity, Confidentiality, AvailabilityModify Memory, Execute Unauthorized Code or Commands
Format string problems can result in the execution of arbitrary code, buffer overflows, denial of service, or incorrect data representation.
Mitigations (3)
RequirementsChoose a language that is not subject to this flaw.
ImplementationEnsure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Build and CompilationRun compilers and linkers with high warning levels, since they may detect incorrect usage.
Examples (2)
The following program prints a string provided as an argument.
#include <stdio.h> void printWrapper(char *string) { printf(string); } int main(int argc, char **argv) { char buf[5012]; memcpy(buf, argv[1], 5012); printWrapper(argv[1]); return (0); }
Bad · C
The following code copies a command line argument into a buffer using snprintf().
int main(int argc, char **argv){ char buf[128]; ... snprintf(buf,128,argv[1]); }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-44407 Remote Denial of Service Vulnerability Exists in ZTE Cloud PC Client uSmartview — ZXCLOUD iRAI 4.7 Medium2026-05-07
CVE-2026-6539 Notepad++ 8.9.3 Format String Injection via nativeLang.xml — Notepad++ 4.4 Medium2026-04-30
CVE-2026-6843 Nano: nano: format string vulnerability leads to denial of service — Red Hat Enterprise Linux 10 5.5 Medium2026-04-22
CVE-2026-3509 CODESYS Control Audit Log Format String DoS — CODESYS Control RTE (SL) 7.5 High2026-03-24
CVE-2026-33210 Ruby JSON has a format string injection vulnerability — json 8.2 -2026-03-20
CVE-2025-68648 Fortinet多款产品 格式化字符串错误漏洞 — FortiManager Cloud 6.5 High2026-03-10
CVE-2026-0400 SonicWALL SonicOS 安全漏洞 — SonicOS 6.5AIMediumAI2026-02-24
CVE-2025-30269 Qsync Central — Qsync Central 8.2 -2026-02-11
CVE-2025-64157 Fortinet FortiOS 格式化字符串错误漏洞 — FortiOS 6.7 Medium2026-02-10
CVE-2025-68949 n8n has a Webhook Node IP Whitelist Bypass via Partial String Matching — n8n 5.3 Medium2026-01-13
CVE-2026-22190 Panda3D <= 1.10.16 egg-mkfont Format String Information Disclosure — Panda3D 5.5 -2026-01-07
CVE-2025-53591 QTS, QuTS hero — QTS 6.5 -2026-01-02
CVE-2023-53966 SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow — SOUND4 LinkAndShare Transmitter 9.8 Critical2025-12-22
CVE-2025-48826 Planet WGR-500 安全漏洞 — WGR-500 8.8 High2025-10-07
CVE-2025-53407 QTS, QuTS hero — QTS 6.5 -2025-10-03
CVE-2025-53406 QTS, QuTS hero — QTS 6.5 -2025-10-03
CVE-2025-52429 QTS, QuTS hero — QTS 6.5 -2025-10-03
CVE-2025-48730 QTS, QuTS hero — QTS 6.5 -2025-10-03
CVE-2025-36202 IBM webMethods Integration code execution — webMethods Integration 7.5 High2025-09-22
CVE-2011-10029 Solar FTP Server <= 2.1.1 Malformed USER Denial of Service — Solar FTP Server 7.5AIHighAI2025-08-20
CVE-2012-10055 ComSndFTP v1.3.7 Beta USER Format String RCE — FTP Server 9.8AICriticalAI2025-08-13
CVE-2025-40600 SonicWALL SonicOS SSLVPN 格式化字符串错误漏洞 — SonicOS 7.5AIHighAI2025-07-29
CVE-2025-22482 Qsync Central — Qsync Central 7.1AIHighAI2025-06-06
CVE-2025-48388 FreeScout Has Insufficient Protection Against CRLF-injection — freescout 4.3AIMediumAI2025-05-29
CVE-2024-45324 Fortinet FortiOS 格式化字符串错误漏洞 — FortiPAM 7.0 High2025-03-11
CVE-2023-40721 Fortinet FortiOS,FortiProxy和FortiPAM 格式化字符串错误漏洞 — FortiPAM 6.3 Medium2025-02-11
CVE-2025-24359 ASTEVAL Vulnerable to Maliciously Crafted Format Strings Leading to Sandbox Escape — asteval 8.4 High2025-01-24
CVE-2024-12805 SonicWALL SonicOS 安全漏洞 — SonicOS 8.8 -2025-01-09
CVE-2024-50403 QTS, QuTS hero — QTS 6.5 -2024-12-06
CVE-2024-50402 QTS, QuTS hero — QTS 6.5 -2024-12-06

Vulnerabilities classified as CWE-134 (使用外部控制的格式字符串) represent 112 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.