CVE-2025-14576

Possible QML code injection in VectorImage component

CVSS 7.4 HIGHEPSS 0.2%CWE-20 CWE-94

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.4EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

30 Apr 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U

Affected products

The Qt Company · Qt

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273