CVE-2025-14575 | THREATINT

Description

An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a local attacker to load a rogue CA certificate as a trusted system authority via a crafted certificate file placed in the application's working directory.

PUBLISHED Reserved 2025-12-12 | Published 2026-05-19 | Updated 2026-05-19 | Assigner TQtC

LOW: 1.8CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-427: Uncontrolled Search Path Element

Product status

Default status

unaffected

5.0.0 (python)

affected

6.0.0 (python)

affected

6.6.0 (python)

affected

6.9.0 (python)

affected

References

codereview.qt-project.org/c/qt/qtbase/+/642967 (Gerrit: QSslCertificate::fromPath — reject empty path strings (Qt 6.9.2+)) patch

cve.org (CVE-2025-14575)

nvd.nist.gov (CVE-2025-14575)

Download JSON