Home

Description

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

PUBLISHED Reserved 2025-12-12 | Published 2026-04-30 | Updated 2026-04-30 | Assigner TQtC




HIGH: 7.4CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-20 Improper Input Validation

Product status

Default status
unaffected

6.8.0 (python)
affected

6.10.0 (python)
affected

Credits

Qt Development Team finder

References

codereview.qt-project.org/c/qt/qtdeclarative/+/697273 (Qt Code Review - Fix for QTBUG-142556) patch

cve.org (CVE-2025-14576)

nvd.nist.gov (CVE-2025-14576)

Download JSON