PatchSiren cyber security CVE debrief
CVE-2025-14576 Qt CVE debrief
CVE-2025-14576 is a high-severity vulnerability in the Qt SVG module. Insufficient validation of node IDs allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. This could lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access. The vulnerability has a CVSS score of 7.4 and is considered HIGH severity. It affects Qtdeclarative product versions 6.8.0 to 6.8.6 and 6.10.0 to 6.10.1.
- Vendor
- Qt
- Product
- Qtdeclarative
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-30
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-30
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using Qtdeclarative versions 6.8.0 to 6.8.6 or 6.10.0 to 6.10.1 should be aware of this vulnerability. Applications using the VectorImage component in Qt Quick are potentially impacted. Users of Red Hat products referenced in the errata notices should also take action.
Technical summary
The Qt SVG module does not properly validate node IDs in SVG files. When a malicious SVG file is loaded through the VectorImage component in Qt Quick, it can inject arbitrary QML/JavaScript code. This code execution occurs in the context of the Qt Quick application, which may have restricted privileges compared to native code execution. However, the impact can still be significant, including denial of service, information disclosure, or other security issues. The vulnerability is classified under CWE-94: Improper Control of Generation of Code ('Code Injection').
Defensive priority
Apply patches or updates from Qt as soon as possible. Review and update affected applications to ensure they handle SVG files securely.
Recommended defensive actions
- Apply the official patches from Qt to update the Qtdeclarative module.
- Restrict the use of VectorImage component with untrusted SVG files.
- Implement additional input validation and sanitization for SVG files.
- Monitor applications for suspicious behavior after updating.
- Consider using alternative image formats where possible.
Evidence notes
The CVE record and NVD details provide information on the vulnerability. Red Hat has published several errata notices (RHSA-2026:20567, RHSA-2026:24987, RHSA-2026:7620, RHSA-2026:7846) related to this issue. A patch is available in the Qt code review system.
Official resources
-
CVE-2025-14576 CVE record
CVE.org
-
CVE-2025-14576 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
a59d8014-47c4-4630-ab43-e1b13cbe58e3 - Patch
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.