CWE-134— Use of Externally-Controlled Format String
354 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-134page 8 of 8
- CVE-2026-6474MEDIUMCVSS 4.3EG 4.32026-05-14
Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
- CVE-2026-6539MEDIUMCVSS 4.4EG 4.42026-04-30
Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attac…
- CVE-2026-6843MEDIUMCVSS 5.5EG 5.52026-04-22
A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading t…
- CVE-2026-7835LOWCVSS 3.1EG 3.12026-05-21
A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string processing.
Map vulnerabilities like CWE-134 to your infrastructure
EchelonGraph correlates every CVE — across CWE-134 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →