Possible QML code injection in VectorImage component
Summary
| CVE | CVE-2025-14576 |
|---|---|
| State | PUBLISHED |
| Assigner | TQtC |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-30 13:16:02 UTC |
| Updated | 2026-05-05 02:57:05 UTC |
| Description | Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access. |
Risk And Classification
Primary CVSS: v4.0 7.4 HIGH from a59d8014-47c4-4630-ab43-e1b13cbe58e3
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000090000 probability, percentile 0.008840000 (date 2026-05-05)
Problem Types: CWE-20 | CWE-94 | CWE-94 CWE-94 Improper Control of Generation of Code ('Code Injection') | CWE-20 CWE-20 Improper Input Validation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | a59d8014-47c4-4630-ab43-e1b13cbe58e3 | Secondary | 7.4 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/C... |
| 4.0 | CNA | CVSS | 7.4 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U |
| 3.1 | [email protected] | Primary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Qt | Qtdeclarative | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | The Qt Company | Qt | affected 6.8.0 6.8.6 python | Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit |
| CNA | The Qt Company | Qt | affected 6.10.0 6.10.1 python | Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| codereview.qt-project.org/c/qt/qtdeclarative/+/697273 | a59d8014-47c4-4630-ab43-e1b13cbe58e3 | codereview.qt-project.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Qt Development Team (en)
Additional Advisory Data
Solutions
CNA: Update to Qt 6.8.7 or Qt 6.10.2 or later. As a temporary mitigation, validate and sanitize all SVG files before loading them with VectorImage, or only load SVG files from trusted sources.