diff --git a/acme/api/revoke.go b/acme/api/revoke.go
index c97d54c1..46a48af3 100644
--- a/acme/api/revoke.go
+++ b/acme/api/revoke.go
@@ -180,7 +180,7 @@ func isAccountAuthorized(_ context.Context, dbCert *acme.Certificate, certToBeRe
 func wrapRevokeErr(err error) *acme.Error {
 	t := err.Error()
 	if strings.Contains(t, "is already revoked") {
-		return acme.NewError(acme.ErrorAlreadyRevokedType, t)
+		return acme.NewError(acme.ErrorAlreadyRevokedType, "%s", t)
 	}
 	return acme.WrapErrorISE(err, "error when revoking certificate")
 }
@@ -190,9 +190,9 @@ func wrapRevokeErr(err error) *acme.Error {
 func wrapUnauthorizedError(cert *x509.Certificate, unauthorizedIdentifiers []acme.Identifier, msg string, err error) *acme.Error {
 	var acmeErr *acme.Error
 	if err == nil {
-		acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg)
+		acmeErr = acme.NewError(acme.ErrorUnauthorizedType, "%s", msg)
 	} else {
-		acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg)
+		acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, "%s", msg)
 	}
 	acmeErr.Status = http.StatusForbidden // RFC8555 7.6 shows example with 403
 
diff --git a/acme/order.go b/acme/order.go
index 8654be9c..0040aee1 100644
--- a/acme/order.go
+++ b/acme/order.go
@@ -309,7 +309,7 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 		// Add subproblem for webhook errors, others can be added later.
 		var webhookErr *webhook.Error
 		if errors.As(err, &webhookErr) {
-			acmeError := NewDetailedError(ErrorUnauthorizedType, webhookErr.Error())
+			acmeError := NewDetailedError(ErrorUnauthorizedType, "%s", webhookErr.Error())
 			acmeError.AddSubproblems(Subproblem{
 				Type:   fmt.Sprintf("urn:smallstep:acme:error:%s", webhookErr.Code),
 				Detail: webhookErr.Message,
diff --git a/authority/admin/api/webhook.go b/authority/admin/api/webhook.go
index e004c401..4ba3d349 100644
--- a/authority/admin/api/webhook.go
+++ b/authority/admin/api/webhook.go
@@ -202,7 +202,7 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 	}
 	if !found {
 		msg := fmt.Sprintf("provisioner %q has no webhook with the name %q", prov.Name, newWebhook.Name)
-		err := admin.NewError(admin.ErrorNotFoundType, msg)
+		err := admin.NewError(admin.ErrorNotFoundType, "%s", msg)
 		render.Error(w, r, err)
 		return
 	}
diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go
index 0dfece7e..1e4eb0e5 100644
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@@ -250,7 +250,7 @@ func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	// Use options in the token.
 	if opts.CertType != "" {
 		if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil {
-			return nil, errs.BadRequestErr(err, err.Error())
+			return nil, errs.BadRequestErr(err, "%s", err.Error())
 		}
 	}
 	if opts.KeyID != "" {
diff --git a/authority/provisioner/ssh_test.go b/authority/provisioner/ssh_test.go
index 1670366f..39bda0d4 100644
--- a/authority/provisioner/ssh_test.go
+++ b/authority/provisioner/ssh_test.go
@@ -93,7 +93,7 @@ func signSSHCertificate(key crypto.PublicKey, opts SignSSHOptions, signOpts []Si
 		var templErr *sshutil.TemplateError
 		if errors.As(err, &templErr) {
 			return nil, errs.NewErr(http.StatusBadRequest, templErr,
-				errs.WithMessage(templErr.Error()),
+				errs.WithMessage("%s", templErr.Error()),
 				errs.WithKeyVal("signOptions", signOpts),
 			)
 		}
diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go
index 28640866..4dda1c69 100644
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@@ -302,7 +302,7 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	// Use options in the token.
 	if opts.CertType != "" {
 		if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil {
-			return nil, errs.BadRequestErr(err, err.Error())
+			return nil, errs.BadRequestErr(err, "%s", err.Error())
 		}
 	}
 	if opts.KeyID != "" {
diff --git a/authority/ssh.go b/authority/ssh.go
index 8268e083..c34bcd65 100644
--- a/authority/ssh.go
+++ b/authority/ssh.go
@@ -215,7 +215,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 	for _, v := range keyValidators {
 		if err := v.Valid(key); err != nil {
 			return nil, nil, errs.ApplyOptions(
-				errs.ForbiddenErr(err, err.Error()),
+				errs.ForbiddenErr(err, "%s", err.Error()),
 				errs.WithKeyVal("signOptions", signOpts),
 			)
 		}
@@ -232,7 +232,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 	// Call enriching webhooks
 	if err := a.callEnrichingWebhooksSSH(ctx, prov, webhookCtl, cr); err != nil {
 		return nil, prov, errs.ApplyOptions(
-			errs.ForbiddenErr(err, err.Error()),
+			errs.ForbiddenErr(err, "%s", err.Error()),
 			errs.WithKeyVal("signOptions", signOpts),
 		)
 	}
@@ -244,7 +244,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 		switch {
 		case errors.As(err, &te):
 			return nil, prov, errs.ApplyOptions(
-				errs.BadRequestErr(err, err.Error()),
+				errs.BadRequestErr(err, "%s", err.Error()),
 				errs.WithKeyVal("signOptions", signOpts),
 			)
 		case strings.HasPrefix(err.Error(), "error unmarshaling certificate"):
@@ -264,7 +264,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 	// Use SignSSHOptions to modify the certificate validity. It will be later
 	// checked or set if not defined.
 	if err := opts.ModifyValidity(certTpl); err != nil {
-		return nil, prov, errs.BadRequestErr(err, err.Error())
+		return nil, prov, errs.BadRequestErr(err, "%s", err.Error())
 	}
 
 	// Use provisioner modifiers.
diff --git a/authority/tls.go b/authority/tls.go
index 5a72e377..ed599879 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -197,7 +197,7 @@ func (a *Authority) signX509(ctx context.Context, csr *x509.CertificateRequest,
 
 	if err := a.callEnrichingWebhooksX509(ctx, prov, webhookCtl, attData, csr); err != nil {
 		return nil, prov, errs.ApplyOptions(
-			errs.ForbiddenErr(err, err.Error()),
+			errs.ForbiddenErr(err, "%s", err.Error()),
 			errs.WithKeyVal("csr", csr),
 			errs.WithKeyVal("signOptions", signOpts),
 		)
@@ -209,7 +209,7 @@ func (a *Authority) signX509(ctx context.Context, csr *x509.CertificateRequest,
 		switch {
 		case errors.As(err, &te):
 			return nil, prov, errs.ApplyOptions(
-				errs.BadRequestErr(err, err.Error()),
+				errs.BadRequestErr(err, "%s", err.Error()),
 				errs.WithKeyVal("csr", csr),
 				errs.WithKeyVal("signOptions", signOpts),
 			)