...
An attacker who can fully or partially control the contents of a format string can crash the Perl interpreter, or cause a denial of service. She can also modify values, perhaps by using the %n|| conversion specifier, and use these values to divert control flow. Their capabilities are not as strong as in C [Seacord 2005]; nonetheless the danger is sufficiently great that the formatted output functions {{sprintf() and printf() should never be passed unsanitized format strings.
...
MITRE CWE: CWE-134, "Uncontrolled format string"
Bibliography
[Christey 2005] Format string vulnerabilities in Perl programs
[Seacord 2005] Chapter 6, "Formatted Output"
[VU#948385] "Perl contains an integer sign error in format string processing"
[Wall 2011] perlfunc
...
01. Input Validation and Data Sanitization 01. Input Validation and Data Sanitization 02. Declarations and Initialization