Wikipedia has Uncontrolled Format String, maybe that helps you understand what the error message by Checkmarx wants to say.

I find it mildly surprising that your employer buys a tool without a contract on the vendor explaining how their tool arrives at a problem.

Looking at your format string, maybe the tool has a problem with the double %% sequence. Consider replacing it by maybe \%\% or maybe concatenate the percent sign after building the printf string.