CVE-2025-14576 — HIGH (7.8)

Q: How severe is CVE-2025-14576?

CVE-2025-14576 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-14576?

Check the references section above for vendor advisories and patch information. Affected products include: Qt Qtdeclarative.

Vulnerability Description

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Qt	Qtdeclarative	>= 6.8.0, < 6.8.6

Related Weaknesses (CWE)

CWE-20 CWE-94

References

https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273Patch

FAQ

What is CVE-2025-14576?

CVE-2025-14576 is a vulnerability with a CVSS score of 7.8 (HIGH). Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution ...

How severe is CVE-2025-14576?

CVE-2025-14576 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-14576?

Check the references section above for vendor advisories and patch information. Affected products include: Qt Qtdeclarative.