Which versions of Qt SVG are affected by CVE-2025-14576?

CVE-2025-14576 affects Qt applications using the SVG module (VectorImage component), allowing arbitrary code execution through malicious SVG files when users open them.. A patch is available.

How to fix or mitigate CVE-2025-14576?

Within 24 hours: Identify all Qt applications in production using the SVG/VectorImage component and assess user exposure to untrusted SVG sources. Within 7 days: Apply Qt Project vendor patch to all affected Qt installations; consult vendor advisories for exact patched versions (e.g., Qt 6.x and Qt 5.x patch releases). Within 30 days: Deploy patched versions across all endpoints and validate SVG handling in QML-based applications through regression testing.

Qt SVG CVE-2025-14576

Q: What is the CVSS score of CVE-2025-14576?

CVE-2025-14576 has a CVSS 4.0 base score of 7.4 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2025-209594 HIGH

Code Injection (CWE-94)

2026-04-30 TQtC

RCE Denial Of Service Information Disclosure Code Injection Red Hat Suse

7.4

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 30, 2026 - 13:30 vuln.today

CVSS changed

Apr 30, 2026 - 13:22 NVD

7.4 (HIGH)

EUVD ID Assigned

Apr 30, 2026 - 13:00 euvd

EUVD-2025-209594

Analysis Generated

Apr 30, 2026 - 13:00 vuln.today

Patch released

Apr 30, 2026 - 13:00 nvd

Patch available

CVE Published

Apr 30, 2026 - 12:39 nvd

HIGH 7.4

DescriptionNVD

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

AnalysisAI

Code injection in Qt SVG module allows attackers to execute arbitrary QML/JavaScript when applications load malicious SVG files through Qt Quick's VectorImage component. Exploitation requires local file access and user interaction (opening crafted SVG). While QML execution is more restricted than native code, attackers can still trigger denial of service, exfiltrate application data, or manipulate UI logic depending on the victim application's privilege context. No active exploitation confirmed (not in CISA KEV), but patch available from Qt Project reduces urgency for immediate emergency response.

Technical ContextAI

This vulnerability affects Qt's declarative UI framework, specifically the integration between the Qt SVG module and Qt Quick's VectorImage component. Qt Quick uses QML (Qt Modeling Language) as a declarative language for building user interfaces, with JavaScript embedded for logic. The flaw stems from insufficient validation of node IDs when parsing SVG files (CWE-94: Improper Control of Generation of Code). Attackers can craft SVG node identifiers that break out of the expected data context and inject executable QML or JavaScript code. When applications using Qt Quick load these SVGs through VectorImage elements, the injected code executes within the QML engine's sandbox. While QML execution has more restrictions than native C++ code execution, it still provides access to application data models, UI state manipulation, and potentially filesystem or network APIs exposed to the QML context. The CPE identifies affected products as Qt framework distributions from The Qt Company, though specific version ranges are not provided in available data.

RemediationAI

Apply the vendor-released patch available through Qt Project code review system at https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273. Monitor Qt's official release channels for the patched Qt version incorporating this fix, as the code review link represents an upstream commit rather than a tagged release. Until patched versions are deployed, implement input validation for SVG files before passing them to VectorImage components: reject SVG files with unusual node ID patterns, enforce strict schema validation, or sanitize SVG content through a trusted parser. For high-security environments, disable VectorImage component usage entirely and use alternative image rendering methods that do not support SVG. Restrict file system permissions so applications cannot access untrusted SVG files from user-writable directories. Apply principle of least privilege to Qt applications so the QML execution context has minimal access to sensitive APIs, filesystems, or network resources. Note that disabling SVG support may break legitimate application functionality requiring vector graphics. Organizations using Qt LTS (Long Term Support) versions should contact The Qt Company support channels for backported patches to older releases.

More from same product – last 7 days

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2025-14576 vulnerability details – vuln.today

Back

Qt SVG CVE-2025-14576

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Share

Qt SVG CVE-2025-14576

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code