{"api_version":"1","generated_at":"2026-05-13T07:41:44+00:00","cve":"CVE-2025-14576","urls":{"html":"https://cve.report/CVE-2025-14576","api":"https://cve.report/api/cve/CVE-2025-14576.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-14576","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-14576"},"summary":{"title":"Possible QML code injection in VectorImage component","description":"Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.","state":"PUBLISHED","assigner":"TQtC","published_at":"2026-04-30 13:16:02","updated_at":"2026-05-05 02:57:05"},"problem_types":["CWE-20","CWE-94","CWE-94 CWE-94 Improper Control of Generation of Code ('Code Injection')","CWE-20 CWE-20 Improper Input Validation"],"metrics":[{"version":"4.0","source":"a59d8014-47c4-4630-ab43-e1b13cbe58e3","type":"Secondary","score":"7.4","severity":"HIGH","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"7.4","severity":"HIGH","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":7.4,"baseSeverity":"HIGH","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"}},{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273","name":"https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273","refsource":"a59d8014-47c4-4630-ab43-e1b13cbe58e3","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-14576","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14576","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"The Qt Company","product":"Qt","version":"affected 6.8.0 6.8.6 python","platforms":["Windows","MacOS","Linux","iOS","Android","x86","ARM","64 bit","32 bit"]},{"source":"CNA","vendor":"The Qt Company","product":"Qt","version":"affected 6.10.0 6.10.1 python","platforms":["Windows","MacOS","Linux","iOS","Android","x86","ARM","64 bit","32 bit"]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Update to Qt 6.8.7 or Qt 6.10.2 or later. As a temporary mitigation, validate and sanitize all SVG files before loading them with VectorImage, or only load SVG files from trusted sources.","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Qt Development Team","lang":"en"}],"nvd_cpes":[{"cve_year":"2025","cve_id":"14576","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"qt","cpe5":"qtdeclarative","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"14576","cve":"CVE-2025-14576","epss":"0.000090000","percentile":"0.008840000","score_date":"2026-05-05","updated_at":"2026-05-06 00:08:10"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-14576","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-30T13:13:55.418329Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-30T13:14:04.728Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://www.qt.io/","defaultStatus":"unaffected","modules":["Qt Declarative (Qt Quick)","VectorImage Component"],"packageName":"qtdeclarative","platforms":["Windows","MacOS","Linux","iOS","Android","x86","ARM","64 bit","32 bit"],"product":"Qt","vendor":"The Qt Company","versions":[{"lessThanOrEqual":"6.8.6","status":"affected","version":"6.8.0","versionType":"python"},{"lessThanOrEqual":"6.10.1","status":"affected","version":"6.10.0","versionType":"python"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*","versionEndIncluding":"6.8.6","versionStartIncluding":"6.8.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*","versionEndIncluding":"6.8.6","versionStartIncluding":"6.8.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*","versionEndIncluding":"6.8.6","versionStartIncluding":"6.8.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*","versionEndIncluding":"6.8.6","versionStartIncluding":"6.8.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*","versionEndIncluding":"6.8.6","versionStartIncluding":"6.8.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*","versionEndIncluding":"6.8.6","versionStartIncluding":"6.8.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*","versionEndIncluding":"6.8.6","versionStartIncluding":"6.8.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*","versionEndIncluding":"6.8.6","versionStartIncluding":"6.8.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*","versionEndIncluding":"6.8.6","versionStartIncluding":"6.8.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*","versionEndIncluding":"6.10.1","versionStartIncluding":"6.10.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*","versionEndIncluding":"6.10.1","versionStartIncluding":"6.10.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*","versionEndIncluding":"6.10.1","versionStartIncluding":"6.10.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*","versionEndIncluding":"6.10.1","versionStartIncluding":"6.10.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*","versionEndIncluding":"6.10.1","versionStartIncluding":"6.10.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*","versionEndIncluding":"6.10.1","versionStartIncluding":"6.10.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*","versionEndIncluding":"6.10.1","versionStartIncluding":"6.10.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*","versionEndIncluding":"6.10.1","versionStartIncluding":"6.10.0","vulnerable":true},{"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*","versionEndIncluding":"6.10.1","versionStartIncluding":"6.10.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Qt Development Team"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.</p>"}],"value":"Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access."}],"impacts":[{"capecId":"CAPEC-242","descriptions":[{"lang":"en","value":"CAPEC-242 Code Injection"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":7.4,"baseSeverity":"HIGH","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-94","description":"CWE-94 Improper Control of Generation of Code ('Code Injection')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-30T12:51:40.517Z","orgId":"a59d8014-47c4-4630-ab43-e1b13cbe58e3","shortName":"TQtC"},"references":[{"name":"Qt Code Review - Fix for QTBUG-142556","tags":["patch"],"url":"https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Update to Qt 6.8.7 or Qt 6.10.2 or later. As a temporary mitigation, validate and sanitize all SVG files before loading them with VectorImage, or only load SVG files from trusted sources.</p>"}],"value":"Update to Qt 6.8.7 or Qt 6.10.2 or later. As a temporary mitigation, validate and sanitize all SVG files before loading them with VectorImage, or only load SVG files from trusted sources."}],"source":{"discovery":"INTERNAL"},"title":"Possible QML code injection in VectorImage component","x_generator":{"engine":"Vulnogram 0.1.0-dev"}}},"cveMetadata":{"assignerOrgId":"a59d8014-47c4-4630-ab43-e1b13cbe58e3","assignerShortName":"TQtC","cveId":"CVE-2025-14576","datePublished":"2026-04-30T12:39:40.067Z","dateReserved":"2025-12-12T12:52:21.516Z","dateUpdated":"2026-04-30T13:14:04.728Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-30 13:16:02","lastModifiedDate":"2026-05-05 02:57:05","problem_types":["CWE-20","CWE-94","CWE-94 CWE-94 Improper Control of Generation of Code ('Code Injection')","CWE-20 CWE-20 Improper Input Validation"],"metrics":{"cvssMetricV40":[{"source":"a59d8014-47c4-4630-ab43-e1b13cbe58e3","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:qt:qtdeclarative:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8.0","versionEndExcluding":"6.8.6","matchCriteriaId":"06BB3954-EACC-4FD9-B24D-88CBC2043FC3"},{"vulnerable":true,"criteria":"cpe:2.3:a:qt:qtdeclarative:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10.0","versionEndExcluding":"6.10.1","matchCriteriaId":"68D670C7-EF6F-468E-AD32-31F9169A8A20"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"14576","Ordinal":"1","Title":"Possible QML code injection in VectorImage component","CVE":"CVE-2025-14576","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"14576","Ordinal":"1","NoteData":"Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.","Type":"Description","Title":"Possible QML code injection in VectorImage component"}]}}}