CVE-2025-14576

Severity CVSS v4.0:

HIGH

Type:

CWE-20 Input Validation

Publication date:

30/04/2026

Last modified:

05/05/2026

Description

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application&#39;s privilege level and data access.

Impact

Vector 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U CVSS v4.0 Severity and Metrics:

Base Score: 7.40 HIGH
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U

Attack Vector (AV): Local
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): Passsive
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): High
Integrity (SI): High
Availability (SA): High
Exploit Maturity (E): Unreported

Base Score 4.0

7.40

Severity 4.0

HIGH

Vector 3.x

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

7.80

Severity 3.x

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:qt:qtdeclarative::::::::	6.8.0 (including)	6.8.6 (excluding)
cpe:2.3:a:qt:qtdeclarative::::::::	6.10.0 (including)	6.10.1 (excluding)

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273