A code injection vulnerability (CVE-2025-14576) has been discovered in the VectorImage component of Qt's declarative module. Insufficient validation of node IDs in SVG files allows a malicious SVG to inject and execute arbitrary QML/JavaScript code within the application context. The vulnerability affects Qt 6.8.0–6.8.6 and Qt 6.9.0–6.10.1 across all major platforms and architectures, with a CVSS 4.0 score of 7.4 (HIGH). Potential impacts include denial of service, information disclosure, and other effects depending on application privileges. The fix is to update to Qt 6.8.7 or Qt 6.10.2 or later, or apply the provided patches. As a mitigation, only load SVG files from trusted sources and validate/sanitize SVG content before loading.
Sort: