CWE-134Use of Externally-Controlled Format String

Abstraction: Base · CVEs in our corpus: 380

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (0)AI

Control	Title	Family	Why it addresses this CWE
No NIST controls proposed yet.

CVE	Risk	CVSS	EPSS	Published
`CVE-2019-1579` KEV	9.2	8.1	0.9301	2019-07-19
`CVE-2024-23113` KEV	7.2	9.8	0.5438	2024-02-15
`CVE-2020-13160`	6.9	9.8	0.8242	2020-06-09
`CVE-2018-6317`	6.2	9.1	0.7266	2018-02-02
`CVE-2023-35086`	5.9	7.2	0.7507	2023-07-21
`CVE-2012-3569`	4.8	0.0	0.8064	2012-11-14
`CVE-2014-1683`	4.7	0.0	0.7784	2014-01-29
`CVE-2012-1851`	4.3	0.0	0.7245	2012-08-15
`CVE-2008-3734`	4.2	0.0	0.6943	2008-08-20
`CVE-2012-2288`	4.2	0.0	0.6993	2012-09-04
`CVE-2018-0175` KEV	3.8	8.0	0.0292	2018-03-28
`CVE-2020-3118` KEV	3.8	8.8	0.0018	2020-02-05
`CVE-2009-4769`	3.7	0.0	0.6214	2010-04-20
`CVE-2012-10055`	3.5	0.0	0.5895	2025-08-13
`CVE-2015-8617`	3.3	9.8	0.2188	2016-01-19
`CVE-2006-3469`	3.2	0.0	0.5410	2006-07-21
`CVE-2007-0017`	3.1	0.0	0.5121	2007-01-03
`CVE-2005-3656`	3.0	0.0	0.4958	2005-12-31
`CVE-2018-10388`	3.0	9.8	0.1815	2019-12-23
`CVE-2011-10029`	2.9	0.0	0.4884	2025-08-20
`CVE-2017-16608`	2.8	9.8	0.1350	2018-01-23
`CVE-2011-1568`	2.7	0.0	0.4421	2011-04-05
`CVE-2012-0809`	2.7	0.0	0.4475	2012-02-01
`CVE-2014-6262`	2.7	7.5	0.1969	2020-02-12
`CVE-2021-25489` KEV	2.7	3.3	0.0036	2021-10-06