cbcvebase.
CVE-2025-14576
published 2026-04-30

CVE-2025-14576: Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage…

PriorityP342high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.22%
12.9th percentile
Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

Affected

9 ranges
VendorProductVersion rangeFixed in
multicluster-globalhubmulticluster-globalhub-grafana-rhel9
openshift-gitops-1argocd-rhel9
openshift4ose-cluster-control-plane-machine-set-rhel9-operator
qtqt
qtqtdeclarative>= 6.10.0 < 6.10.16.10.1
qtqtdeclarative>= 6.8.0 < 6.8.66.8.6
rhacm2acm-grafana-rhel9
the_qt_companyqt6.10.0 – 6.10.1
the_qt_companyqt6.8.0 – 6.8.6

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.