CVE-2025-14576
published 2026-04-30CVE-2025-14576: Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage…
PriorityP342high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.22%
12.9th percentile
Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| multicluster-globalhub | multicluster-globalhub-grafana-rhel9 | — | — |
| openshift-gitops-1 | argocd-rhel9 | — | — |
| openshift4 | ose-cluster-control-plane-machine-set-rhel9-operator | — | — |
| qt | qt | — | — |
| qt | qtdeclarative | >= 6.10.0 < 6.10.1 | 6.10.1 |
| qt | qtdeclarative | >= 6.8.0 < 6.8.6 | 6.8.6 |
| rhacm2 | acm-grafana-rhel9 | — | — |
| the_qt_company | qt | 6.10.0 – 6.10.1 | — |
| the_qt_company | qt | 6.8.0 – 6.8.6 | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file
vendor_redhat·2026-04-30·CVSS 7.4
CVE-2025-14576 [HIGH] CWE-94 qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file
qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file
A flaw was found in the Qt SVG module and the VectorImage component in Qt Quick. This vulnerability allows a remote attacker to inject arbitrary QML/JavaScript code by tricking a user into loading a specially crafted malicious SVG file. Successful exploitation could lead to denial of service, information disclosure, or other impacts, depending on the application's privileges and data access.
Package: multicluster-globalhub/multicluster-globalhub-grafana-rhel9 (Multicluster Global Hub) - Not affected
Package: rhacm2/acm-grafana-rhel9 (Red Hat Advanced Cluster Management for Kubernetes 2) - Not affected
Package: qt6 (Red Hat Enterprise Linux 10) - Affected
Package: qt (Red Hat Enterprise Linux 6) - Not affected
GHSA
GHSA-4hpm-v49g-rq7q: Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the Vecto
ghsa_unreviewed·2026-04-30
CVE-2025-14576 [HIGH] CWE-20 GHSA-4hpm-v49g-rq7q: Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the Vecto
Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.
VulDB
Qt up to 6.8.6/6.10.1 SVG Module code injection
vuldb·2026-04-30·CVSS 7.4
CVE-2025-14576 [HIGH] Qt up to 6.8.6/6.10.1 SVG Module code injection
A vulnerability labeled as critical has been found in Qt up to 6.8.6/6.10.1. The affected element is an unknown function of the component SVG Module. The manipulation results in code injection.
This vulnerability is known as CVE-2025-14576. It is possible to launch the attack remotely. No exploit is available.
No detection rules found.
No public exploits indexed.
https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273https://access.redhat.com/errata/RHSA-2026:20567https://access.redhat.com/errata/RHSA-2026:24987https://access.redhat.com/errata/RHSA-2026:7620https://access.redhat.com/errata/RHSA-2026:7846https://access.redhat.com/security/cve/CVE-2025-14576https://bugzilla.redhat.com/show_bug.cgi?id=2464114https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14576.json
2026-04-30
Published