Insufficient Validation in Qt SVG Module Affecting Qt Quick
CVE-2025-14576

7.4HIGH

Key Information:

Vendor: The Qt Company
Status: Qt
Vendor: CVE Published:; 30 April 2026

🔔 Create The Qt Company Vulnerability Alert

What is CVE-2025-14576?

The Qt SVG module presents a security flaw due to insufficient validation of node IDs, which could allow an attacker to inject arbitrary QML or JavaScript code when loading compromised SVG files through the VectorImage component in Qt Quick. Though QML execution is constrained compared to native code, the vulnerability can still lead to potential denial of service or unauthorized data exposure, contingent upon the specific privileges and data access levels of the application.

Affected Version(s)

Qt Windows 6.8.0 <= 6.8.6

Qt Windows 6.10.0 <= 6.10.1

References

https://codereview.qt-project.org/c/qt/qtdeclarative/+/69...

patch

CVSS V4

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Dec 12, 2025

Credit

Qt Development Team

CVE-2025-14576 Data

JSON