Possible QML code injection in VectorImage component
Summary
| CVE | CVE-2025-14576 |
|---|---|
| State | PUBLISHED |
| Assigner | TQtC |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-30 13:16:02 UTC |
| Updated | 2026-07-15 02:17:18 UTC |
| Description | Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access. |
Risk And Classification
Primary CVSS: v4.0 7.4 HIGH from a59d8014-47c4-4630-ab43-e1b13cbe58e3
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000090000 probability, percentile 0.008840000 (date 2026-05-05)
Problem Types: CWE-20 | CWE-94 | CWE-94 CWE-94 Improper Control of Generation of Code ('Code Injection') | CWE-20 CWE-20 Improper Input Validation | CWE-94 Improper Control of Generation of Code ('Code Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | a59d8014-47c4-4630-ab43-e1b13cbe58e3 | Secondary | 7.4 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/C... |
| 4.0 | CNA | CVSS | 7.4 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U |
| 3.1 | [email protected] | Primary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Qt | Qtdeclarative | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | The Qt Company | Qt | affected 6.8.0 6.8.6 python | Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit |
| CNA | The Qt Company | Qt | affected 6.10.0 6.10.1 python | Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | unaffected 0:6.10.1-1.el10_2.1 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10.0 Extended Update Support | unaffected 0:6.8.1-5.el10_0 * rpm | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | unaffected 5.15.18-2.1.hum1 * rpm | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | unaffected 6.11.0-1.hum1 * rpm | Not specified |
| ADP | Red Hat | Multicluster Global Hub | Not specified | Not specified |
| ADP | Red Hat | Red Hat Advanced Cluster Management For Kubernetes 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift GitOps | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:24987 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:20567 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7846 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2025-14576 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| codereview.qt-project.org/c/qt/qtdeclarative/+/697273 | a59d8014-47c4-4630-ab43-e1b13cbe58e3 | codereview.qt-project.org | Patch |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7620 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14576.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Qt Development Team (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-04-30T13:01:32.429Z | Reported to Red Hat. |
| ADP | 2026-04-30T12:39:40.067Z | Made public. |
Solutions
CNA: Update to Qt 6.8.7 or Qt 6.10.2 or later. As a temporary mitigation, validate and sanitize all SVG files before loading them with VectorImage, or only load SVG files from trusted sources.
ADP: RHSA-2026:24987: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)
ADP: RHSA-2026:20567: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)
ADP: RHSA-2026:7620: Red Hat Hardened Images
ADP: RHSA-2026:7846: Red Hat Hardened Images