Skip to content
CVSS 7.8 · HIGH

CVE-2025-14576

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

View on NVD

Analysis

Applications built with Qt Quick using the VectorImage component are vulnerable to QML and JavaScript code injection when loading malicious SVG files. Developers should update their Qt installations, especially if their software processes SVG images from untrusted sources or user uploads.

Severity

Score: 7.8(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: NONE
UI: REQUIRED
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-20CWE-94

EPSS

Probability of exploitation (next 30 days): 0.0001 (0.0%)
Percentile: 1.1%
EPSS: 2026-05-06

Affects

qt:qtdeclarative

Technical description

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

Published: 4/30/2026, 1:16:02 PM
Last modified: 5/5/2026, 2:57:05 AM

References

HomeEventsBlogResourcesTeam