Skip to main content

Qt SVG CVE-2025-14576

| EUVDEUVD-2025-209594 HIGH
Code Injection (CWE-94)
2026-04-30 TQtC
7.4
CVSS 4.0 · Vendor: TQtC
Share

Severity by source

Vendor (TQtC) PRIMARY
7.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (TQtC).

CVSS VectorVendor: TQtC

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Generated
Apr 30, 2026 - 13:30 vuln.today
CVSS changed
Apr 30, 2026 - 13:22 NVD
7.4 (HIGH)
EUVD ID Assigned
Apr 30, 2026 - 13:00 euvd
EUVD-2025-209594
Analysis Generated
Apr 30, 2026 - 13:00 vuln.today
Patch released
Apr 30, 2026 - 13:00 nvd
Patch available
CVE Published
Apr 30, 2026 - 12:39 nvd
HIGH 7.4

DescriptionCVE.org

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

AnalysisAI

Code injection in Qt SVG module allows attackers to execute arbitrary QML/JavaScript when applications load malicious SVG files through Qt Quick's VectorImage component. Exploitation requires local file access and user interaction (opening crafted SVG). While QML execution is more restricted than native code, attackers can still trigger denial of service, exfiltrate application data, or manipulate UI logic depending on the victim application's privilege context. No active exploitation confirmed (not in CISA KEV), but patch available from Qt Project reduces urgency for immediate emergency response.

Technical ContextAI

This vulnerability affects Qt's declarative UI framework, specifically the integration between the Qt SVG module and Qt Quick's VectorImage component. Qt Quick uses QML (Qt Modeling Language) as a declarative language for building user interfaces, with JavaScript embedded for logic. The flaw stems from insufficient validation of node IDs when parsing SVG files (CWE-94: Improper Control of Generation of Code). Attackers can craft SVG node identifiers that break out of the expected data context and inject executable QML or JavaScript code. When applications using Qt Quick load these SVGs through VectorImage elements, the injected code executes within the QML engine's sandbox. While QML execution has more restrictions than native C++ code execution, it still provides access to application data models, UI state manipulation, and potentially filesystem or network APIs exposed to the QML context. The CPE identifies affected products as Qt framework distributions from The Qt Company, though specific version ranges are not provided in available data.

RemediationAI

Apply the vendor-released patch available through Qt Project code review system at https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273. Monitor Qt's official release channels for the patched Qt version incorporating this fix, as the code review link represents an upstream commit rather than a tagged release. Until patched versions are deployed, implement input validation for SVG files before passing them to VectorImage components: reject SVG files with unusual node ID patterns, enforce strict schema validation, or sanitize SVG content through a trusted parser. For high-security environments, disable VectorImage component usage entirely and use alternative image rendering methods that do not support SVG. Restrict file system permissions so applications cannot access untrusted SVG files from user-writable directories. Apply principle of least privilege to Qt applications so the QML execution context has minimal access to sensitive APIs, filesystems, or network resources. Note that disabling SVG support may break legitimate application functionality requiring vector graphics. Organizations using Qt LTS (Long Term Support) versions should contact The Qt Company support channels for backported patches to older releases.

More in Qt

View all
CVE-2020-12267 CRITICAL POC
9.8 Apr 27

setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock. Rated critical sever

CVE-2023-37369 HIGH POC
7.5 Aug 20

In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlS

CVE-2020-13962 HIGH POC
7.5 Jun 09

Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error qu

CVE-2020-0570 HIGH POC
7.3 Sep 14

Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potential

CVE-2017-10904 CRITICAL
9.8 Dec 16

Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors. Rated cr

CVE-2024-36048 CRITICAL
9.8 May 18

QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, an

CVE-2023-51714 CRITICAL
9.8 Dec 24

An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before

CVE-2018-19873 CRITICAL
9.8 Dec 26

An issue was discovered in Qt before 5.11.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2018-19870 HIGH
8.8 Dec 26

An issue was discovered in Qt before 5.11.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2018-15518 HIGH
8.8 Dec 26

QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML doc

CVE-2015-1860 MEDIUM
6.8 May 12

Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allo

CVE-2015-1859 MEDIUM
6.8 May 12

Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x be

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed

Share

CVE-2025-14576 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy