Is there a patch available for EUVD-2025-209891?

Yes, a patch is available for EUVD-2025-209891. Update the affected software to the latest version immediately.

Qt Framework EUVD-2025-209891

Q: What is the CVSS score of EUVD-2025-209891?

EUVD-2025-209891 has a CVSS 4.0 base score of 1.8 (Low). CVSS vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2025-14575 LOW

Uncontrolled Search Path Element (CWE-427)

2026-05-19 TQtC

GHSA-f8w9-p7h4-f9jm

Information Disclosure OpenSSL

1.8

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 19, 2026 - 14:33 vuln.today

DescriptionNVD

An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a local attacker to load a rogue CA certificate as a trusted system authority via a crafted certificate file placed in the application's working directory.

AnalysisAI

Uncontrolled search path in Qt Network's OpenSSL TLS backend on Unix allows a high-privileged local attacker to inject a rogue CA certificate by placing a crafted certificate file in the application's working directory, causing Qt-based applications to treat it as a trusted system authority. Affected across multiple long-term support branches: Qt 5.x through 5.15.19, Qt 6.0-6.5.x through 6.5.9, Qt 6.6-6.8.x through 6.8.3, and Qt 6.9.x through 6.9.1 on Unix platforms. No public exploit identified at time of analysis, and CVSS 4.0 rates this at 1.8, reflecting substantial preconditions that severely limit real-world impact.

Technical ContextAI

CWE-427 (Uncontrolled Search Path Element) describes a class of vulnerability where a library or application resolves a critical resource - here, CA certificate files - by searching paths that an attacker can influence, such as the current working directory, before authoritative system paths. Qt Network (part of qtbase) uses OpenSSL as its TLS backend on Unix systems. When the TLS stack initializes and loads trusted CA certificates, the search path apparently includes the process's working directory in addition to system certificate stores. An attacker who can place files in that directory can therefore inject a certificate authority of their choosing into the application's trust store, potentially enabling acceptance of fraudulently signed TLS certificates. The affected CPE is cpe:2.3:a:the_qt_company:qt:*:*:*:*:*:*:*:*, spanning all Qt versions across the affected branches on Unix.

RemediationAI

A patch is available from The Qt Company per their advisory. The upstream fix is tracked in the Qt Gerrit code review at https://codereview.qt-project.org/c/qt/qtbase/+/642967; this is a commit-level fix and an independently confirmed tagged release version has not been confirmed from the available reference data - operators should monitor Qt's official release notes to identify the first tagged release incorporating this fix for each affected branch (expected in releases following 5.15.19, 6.5.9, 6.8.3, and 6.9.1 respectively). As a compensating control prior to patching, restrict write access to the working directories of Qt-based applications that perform TLS operations, ensuring that only the application's own service account can write there. Additionally, consider running Qt-based services with a dedicated working directory set to a controlled, non-writable path rather than a shared or user-writable directory. These controls prevent the precondition (attacker-writable working directory) rather than fixing the root cause, but are effective given the AT:P constraint.

EUVD-2025-209891 vulnerability details – vuln.today

Back