Why is printf with a single argument (without conversion specifiers) deprecated?
printf(“Hello World!”); is IMHO not vulnerable but consider this: const char *str; … printf(str); If str happens to point to a string containing %s format specifiers, your program will exhibit undefined behaviour (mostly a crash), whereas puts(str) will just display the string as is. Example: printf(“%s”); //undefined behaviour (mostly crash) puts(“%s”); // displays “%s\n”