Audit required: untrusted format string CXX-A1002
Security
Major
cwe-134
If the source of a format string is untrusted then there is a chance that the
format expected would break or the untrusted source may be able to insert
malicious stuff into your code.
The only way to use such strings is to thoroughly validate them before usage. Still, your validation may fail, so it's recommended against using such code.
Bad practice
printf(user_input, value); // format string is untrusted
// Try to avoid such cases or use custom functions that validate and escape
// possible issues with the input.