Skip to main content

CWE-134

Use of Externally-Controlled Format String

204 CVEs Avg CVSS 7.5 MITRE
43
CRITICAL
100
HIGH
49
MEDIUM
12
LOW
58
POC
3
KEV

Monthly

CVE-2026-15680 HIGH This Week

Remote code execution in the Lorex 2K Indoor Wi-Fi Security Camera lets a network-adjacent, unauthenticated attacker run arbitrary code as root by abusing a CWE-134 format string flaw in the camera's 'sonia' binary. A user-supplied string within a JSON request is passed directly into a format specifier by the CDeviceOperator component, giving full device takeover. Discovered and reported through ZDI (ZDI-26-398 / ZDI-CAN-25884); no public exploit identified at time of analysis.

RCE 2K Indoor Wi Fi Security Camera
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2026-46465 MEDIUM PATCH This Month

Format string exploitation in Dell PowerProtect Data Domain enables remote high-privileged attackers to disclose memory contents and crash the service across multiple concurrent release trains. Affected versions span the mainline (7.7.1.0-8.7), LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches, creating broad organizational exposure for enterprises running any supported Data Domain release. No public exploit or confirmed active exploitation has been identified at time of analysis; the mandatory high-privilege prerequisite substantially constrains the realistic attacker pool.

Dell Denial Of Service Information Disclosure Powerprotect Data Domain
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-57877 HIGH This Week

Unauthenticated format string flaw in the vlsvr service of GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote attackers send crafted login data that the device passes unsanitized into a log-formatting routine. Successful exploitation can leak memory contents, corrupt memory, or crash the service, with the high availability impact (CVSS 8.6) reflecting denial of service as the most reliable outcome. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Gv Lpclpc2011 2211
NVD
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-10828 MEDIUM This Month

Format string exploitation in Moxa NPort W2150A-W4/W2250A-W4 and W2150A/W2250A series wireless serial device servers (firmware v1.5 and prior) allows network-accessible, authenticated administrators to leak arbitrary stack memory through the web management interface. The 'alias' parameter on the Serial Param configuration page passes attacker-controlled input directly to a printf-family function without sanitization, violating CWE-134. The disclosed memory contents can be used to defeat ASLR, making this vulnerability a likely prerequisite stepping-stone to CVE-2026-10829 (stack-based buffer overflow) documented in the same Moxa advisory MPSA-261910. No public exploit and no CISA KEV listing are identified at time of analysis.

Information Disclosure Nport W2150A W4 W2250A W4 Series Nport W2150A W2250A Series
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2025-10262 MEDIUM PATCH This Month

Local privilege escalation in Nokia SR Linux affects multiple release trains and allows an already-authenticated user holding elevated local privileges to execute arbitrary commands as superuser by exploiting unsanitized format string handling (CWE-134). The attack vector is local and requires high prior privileges (CVSS AV:L/PR:H), significantly limiting the exposure surface compared to a network-exploitable flaw. No public exploit code and no CISA KEV listing have been identified at time of analysis; Nokia has released patches across all affected branch lines.

Privilege Escalation Nokia Sr Linux
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-12174 HIGH POC This Week

Format string vulnerability in the D-Link DCS-935L 1.10.01 IP camera allows authenticated remote attackers to corrupt memory and likely achieve information disclosure or code execution by manipulating the data argument passed to snprintf within the /web/cgi-bin/greece/rhea HTTP handler. Publicly available exploit code exists per VulDB submission, though this CVE is not on the CISA KEV list. The CVSS 4.0 score of 7.4 reflects high impact on confidentiality, integrity, and availability with low-privilege authentication required.

D-Link Information Disclosure Dcs 935L
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-6250 HIGH PATCH This Week

Authenticated format string vulnerability in the ONVIF service of TP-Link Tapo C110 v2 cameras allows adjacent-network attackers with valid credentials to manipulate stack memory and redirect execution to internal functions, triggering an unauthorized factory reset. Successful exploitation wipes configuration, deletes stored credentials, and disrupts video surveillance service. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Authentication Bypass Tapo C110 V2
NVD VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-6242 MEDIUM PATCH This Month

Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the same network segment to crash the camera's event notification service by supplying crafted format string specifiers in subscription requests or notification generation parameters. Successful exploitation terminates the ONVIF Subscribe service unexpectedly, silently disabling real-time motion alerts and alarm notifications until service recovery or device reboot - a safety-relevant impact in physical security deployments. No public exploit code has been identified at time of analysis, and TP-Link has self-disclosed the issue alongside a firmware patch.

Code Injection Tapo C520Ws V2
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-6241 MEDIUM PATCH This Month

Format string exploitation in TP-Link's Tapo C520WS v2 ONVIF management service allows an authenticated attacker on an adjacent network segment to crash the ONVIF service by injecting format specifiers into AddScopes scope parameters, resulting in a denial-of-service condition that disrupts normal camera operation. The vulnerability (CWE-134) is confined to availability impact only - no confidentiality or integrity compromise is possible. No public exploit code has been identified at time of analysis, and a vendor-released patch is available from TP-Link.

Denial Of Service Tapo C520Ws V2
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-50211 HIGH This Week

Exposed factory diagnostics in Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) allow malicious applications to obtain write access to internal NVRAM registers, enabling persistent modification of device state and configuration. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 4.0 base score of 8.8 reflects high confidentiality and availability impact. The vulnerability was self-reported by Acer and is tracked in the EU vulnerability database as EUVD-2026-34223.

Information Disclosure Connect M6E 5G Portable Wifi Router
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH This Week

Remote code execution in the Lorex 2K Indoor Wi-Fi Security Camera lets a network-adjacent, unauthenticated attacker run arbitrary code as root by abusing a CWE-134 format string flaw in the camera's 'sonia' binary. A user-supplied string within a JSON request is passed directly into a format specifier by the CDeviceOperator component, giving full device takeover. Discovered and reported through ZDI (ZDI-26-398 / ZDI-CAN-25884); no public exploit identified at time of analysis.

RCE 2K Indoor Wi Fi Security Camera
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Format string exploitation in Dell PowerProtect Data Domain enables remote high-privileged attackers to disclose memory contents and crash the service across multiple concurrent release trains. Affected versions span the mainline (7.7.1.0-8.7), LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches, creating broad organizational exposure for enterprises running any supported Data Domain release. No public exploit or confirmed active exploitation has been identified at time of analysis; the mandatory high-privilege prerequisite substantially constrains the realistic attacker pool.

Dell Denial Of Service Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Unauthenticated format string flaw in the vlsvr service of GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote attackers send crafted login data that the device passes unsanitized into a log-formatting routine. Successful exploitation can leak memory contents, corrupt memory, or crash the service, with the high availability impact (CVSS 8.6) reflecting denial of service as the most reliable outcome. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Gv Lpclpc2011 2211
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Format string exploitation in Moxa NPort W2150A-W4/W2250A-W4 and W2150A/W2250A series wireless serial device servers (firmware v1.5 and prior) allows network-accessible, authenticated administrators to leak arbitrary stack memory through the web management interface. The 'alias' parameter on the Serial Param configuration page passes attacker-controlled input directly to a printf-family function without sanitization, violating CWE-134. The disclosed memory contents can be used to defeat ASLR, making this vulnerability a likely prerequisite stepping-stone to CVE-2026-10829 (stack-based buffer overflow) documented in the same Moxa advisory MPSA-261910. No public exploit and no CISA KEV listing are identified at time of analysis.

Information Disclosure Nport W2150A W4 W2250A W4 Series Nport W2150A W2250A Series
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Local privilege escalation in Nokia SR Linux affects multiple release trains and allows an already-authenticated user holding elevated local privileges to execute arbitrary commands as superuser by exploiting unsanitized format string handling (CWE-134). The attack vector is local and requires high prior privileges (CVSS AV:L/PR:H), significantly limiting the exposure surface compared to a network-exploitable flaw. No public exploit code and no CISA KEV listing have been identified at time of analysis; Nokia has released patches across all affected branch lines.

Privilege Escalation Nokia Sr Linux
NVD VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

Format string vulnerability in the D-Link DCS-935L 1.10.01 IP camera allows authenticated remote attackers to corrupt memory and likely achieve information disclosure or code execution by manipulating the data argument passed to snprintf within the /web/cgi-bin/greece/rhea HTTP handler. Publicly available exploit code exists per VulDB submission, though this CVE is not on the CISA KEV list. The CVSS 4.0 score of 7.4 reflects high impact on confidentiality, integrity, and availability with low-privilege authentication required.

D-Link Information Disclosure Dcs 935L
NVD VulDB GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Authenticated format string vulnerability in the ONVIF service of TP-Link Tapo C110 v2 cameras allows adjacent-network attackers with valid credentials to manipulate stack memory and redirect execution to internal functions, triggering an unauthorized factory reset. Successful exploitation wipes configuration, deletes stored credentials, and disrupts video surveillance service. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Authentication Bypass Tapo C110 V2
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the same network segment to crash the camera's event notification service by supplying crafted format string specifiers in subscription requests or notification generation parameters. Successful exploitation terminates the ONVIF Subscribe service unexpectedly, silently disabling real-time motion alerts and alarm notifications until service recovery or device reboot - a safety-relevant impact in physical security deployments. No public exploit code has been identified at time of analysis, and TP-Link has self-disclosed the issue alongside a firmware patch.

Code Injection Tapo C520Ws V2
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Format string exploitation in TP-Link's Tapo C520WS v2 ONVIF management service allows an authenticated attacker on an adjacent network segment to crash the ONVIF service by injecting format specifiers into AddScopes scope parameters, resulting in a denial-of-service condition that disrupts normal camera operation. The vulnerability (CWE-134) is confined to availability impact only - no confidentiality or integrity compromise is possible. No public exploit code has been identified at time of analysis, and a vendor-released patch is available from TP-Link.

Denial Of Service Tapo C520Ws V2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Exposed factory diagnostics in Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) allow malicious applications to obtain write access to internal NVRAM registers, enabling persistent modification of device state and configuration. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 4.0 base score of 8.8 reflects high confidentiality and availability impact. The vulnerability was self-reported by Acer and is tracked in the EU vulnerability database as EUVD-2026-34223.

Information Disclosure Connect M6E 5G Portable Wifi Router
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy