CWE-134 · Use of Externally-Controlled Format String

390 CVEs classified under CWE-134 (Use of Externally-Controlled Format String). Browse by severity and year.

Top CVEs for CWE-134
CVESeverityScorePublishedSummary
CVE-2026-50211Critical9.82026-06-04Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRA…
CVE-2023-53966Critical9.82025-12-22SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafte…
CVE-2025-40600Critical9.82025-07-29Use of Externally-Controlled Format String vulnerability in the SonicOS SSL VPN interface allows a remote unauthenticated attacker to cause service disruption.
CVE-2025-46121Critical9.82025-07-21An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `s…
CVE-2024-23113Critical9.82024-02-15A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7…
CVE-2023-5746Critical9.82023-10-25A vulnerability regarding use of externally-controlled format string is found in the cgi component. This allows remote attackers to execute arbitrary code via…
CVE-2023-35087Critical9.82023-07-21 It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by lacking validation for a specific value when ca…
CVE-2022-3023Critical9.82022-11-04Use of Externally-Controlled Format String in GitHub repository pingcap/tidb prior to 6.4.0, 6.1.3.
CVE-2022-35877Critical9.82022-10-25Four format string injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. Spec…
CVE-2022-35876Critical9.82022-10-25Four format string injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. Spec…
CVE-2022-35875Critical9.82022-10-25Four format string injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. Spec…
CVE-2022-35874Critical9.82022-10-25Four format string injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. Spec…
CVE-2022-35244Critical9.82022-10-25A format string injection vulnerability exists in the XCMD getVarHA functionality of abode systems, inc. iota All-In-One Security Kit 6.9X and 6.9Z. A speciall…
CVE-2022-33938Critical9.82022-10-25A format string injection vulnerability exists in the ghome_process_control_packet functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6…
CVE-2022-34747Critical9.82022-09-06A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution…
CVE-2022-26674Critical9.82022-04-22ASUS RT-AX88U has a Format String vulnerability, which allows an unauthenticated remote attacker to write to arbitrary memory address and perform remote arbitr…
CVE-2022-27177Critical9.82022-04-01A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2
CVE-2021-42911Critical9.82022-03-29A Format String vulnerability exists in DrayTek Vigor 2960 <= 1.5.1.3, DrayTek Vigor 3900 <= 1.5.1.3, and DrayTek Vigor 300B <= 1.5.1.3 in the mainfunction.cgi…
CVE-2021-41193Critical9.82022-03-01wire-avs is the audio visual signaling (AVS) component of Wire, an open-source messenger. A remote format string vulnerability in versions prior to 7.1.12 allo…
CVE-2021-36161Critical9.82021-09-09Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with spec…