Skip to content
CVSS 7.8 · HIGH

CVE-2025-14576

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

Ver en NVD

Análisis

Applications built with Qt Quick using the VectorImage component are vulnerable to QML and JavaScript code injection when loading malicious SVG files. Developers should update their Qt installations, especially if their software processes SVG images from untrusted sources or user uploads.

Severidad

Puntaje: 7.8(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: NONE
UI: REQUIRED
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-20CWE-94

EPSS

Probabilidad de explotación (próx. 30 días): 0.0001 (0.0%)
Percentil: 1.1%
EPSS: 2026-05-06

Afecta

qt:qtdeclarative

Descripción técnica

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

Publicada: 30/4/2026, 13:16:02
Última modificación: 5/5/2026, 2:57:05

Referencias

InicioEventosBlogRecursosEquipo