cvedb.io
CVE-2025-14576
HIGH · CVSS 7.8
EPSS exploitation probability: 0%
Published 2026-04-30T13:16:02.850 · Last modified 2026-06-30T03:16:44.490

Summary

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

Affected products

qt — qtdeclarative

Does this affect you?

Add your gear to cvedb and we'll alert you only when qt ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.