cap: fix format-string vulnerability