Possible QML code injection in VectorImage component

Description

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

Affected Products

Vendor	Product	Versions
the qt	qt	6.8.0, 6.10.0, 6.8.6, 6.10.1

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	qt	cert_advisory	90%

References

https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273(patch)

Related News (2 articles)

Tier B

BSI Advisories4h ago

[NEU] [hoch] QT: Schwachstelle ermöglicht Codeausführung

→ No new info (linked only)

Tier C

VulDB4d ago

CVE-2025-14576 | Qt up to 6.8.6/6.10.1 SVG Module code injection

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273

CWECWE-94, CWE-20

PublishedApr 30, 2026

Last enriched4d agov2

Community Vote

Version History

Last enriched 4d ago

v2Tier C4d ago

Updated severity to CRITICAL, added new affected versions 6.8.6 and 6.10.1, and noted that no exploit is available.

severityaffectedVersionsactivelyExploitedtags

via VulDB

v14d ago

Initial creation