CVE-2025-14576

UNKNOWN 0.0

Possible QML code injection in VectorImage component

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

CWE	CWE-94 CWE-20
Vendor	the qt company
Product	qt
Published	Apr 30, 2026
Last Updated	Apr 30, 2026

Stay Ahead of the Next One

Get instant alerts for the qt company qt

Be the first to know when new unknown vulnerabilities affecting the qt company qt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

The Qt Company / Qt

6.8.0 ≤ 6.8.6 6.10.0 ≤ 6.10.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

codereview.qt-project.org: https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273

Credits

Qt Development Team