CVE-2025-14576

Possible QML code injection in VectorImage component

CVSS 7.4 HIGHEPSS 0.2%CWE-20 CWE-94

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.4EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

30 abr 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U

Productos afectados

The Qt Company · Qt

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273