Simple Ghidra script which searches for calls to printf which take a variable as input instead of a constant format string which could be a potential sink.

find_suspicious_printf_calls.py

from ghidra.app.decompiler import DecompileOptions
from ghidra.app.decompiler import DecompInterface
from ghidra.util.task import ConsoleTaskMonitor
from ghidra.program.model.symbol import SymbolType

TARGET_FUNC = "printf"
target_addr = 0

symbol = currentProgram.symbolTable.getExternalSymbol(TARGET_FUNC)
if symbol and symbol.symbolType == SymbolType.FUNCTION:
    target_addr = symbol.object.functionThunkAddresses[0]

callers = []

references = getReferencesTo(target_addr)
for xref in references:
    call_addr = xref.getFromAddress()
    caller = getFunctionContaining(call_addr)
    callers.append(caller)

# deduplicate callers
callers = list(set(callers))
callers = [c for c in callers if c is not None]

options = DecompileOptions()
monitor = ConsoleTaskMonitor()
ifc = DecompInterface()
ifc.setOptions(options)
ifc.openProgram(currentProgram)

for caller in callers:
    res = ifc.decompileFunction(caller, 60, monitor)
    high_func = res.getHighFunction()
    lsm = high_func.getLocalSymbolMap()
    symbols = lsm.getSymbols()
    if high_func:
        opiter = high_func.getPcodeOps()
        while opiter.hasNext():
            op = opiter.next()
            mnemonic = str(op.getMnemonic())
            if mnemonic == "CALL":
                inputs = op.getInputs()
                addr = inputs[0].getAddress()
                if addr == target_addr:
                    arg = inputs[1] # List of VarnodeAST types
                    if not arg.isUnique():
		        print("Call to {} at {} has arguments: {}".format(addr, op.getSeqnum().getTarget(), arg))