Format string vulnerabilities are security flaws in a programmer's code (usually these occur in the C language). It is usually present in the printf, sprintf, and syslog functions, though it can occur in any function that allows format strings (two characters, generally a "%" symbol, followed by a second character, that determines the format of the variable being parsed, be it integer, floating-point, string, or hexadecimal) to be used in an insecure way.

For example:

is the secure way of using printf(), while
is insecure, and will result in the program crashing and being susceptible to buffer overflows.