[Development] [Announce] Security advisory: QML Code Injection in VectorImage Component in Qt declarative module impacts Qt

List for announcements regarding Qt releases and development via Announce via Development Thu, 30 Apr 2026 06:22:14 -0700

Improper Control of Generation of Code ('Code Injection') vulnerability in the 
VectorImage component of the Qt declarative module has been discovered and has 
been assigned the CVE id CVE-2025-14576.


Affected versions: From Qt 6.8.0 through Qt 6.8.6 and from Qt 6.10.0 through 
6.10.1

Impact: Improper Control of Generation of Code ('Code Injection') vulnerability 
in Qt Quick on Windows, macOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit 
allows QML/JavaScript Code Injection.

This issue affects users of the VectorImage component in Qt Quick. Insufficient 
validation of node IDs in SVG files could allow a malicious SVG file to inject 
and execute arbitrary QML/JavaScript code in the application context. This 
requires a user to be tricked into loading a malicious SVG file. While QML 
execution is typically more restricted than native code execution, this could 
lead to denial of service, information disclosure, or other impacts depending 
on the application's privilege level and data access.

CVSS 4.0 Score: 7.4 (HIGH)

Vector 
String:CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U

Mitigation: Only load SVG files from trusted sources when using the VectorImage 
component. Applications should validate and sanitize SVG content before 
loading, or implement additional security controls to restrict the sources of 
SVG files that can be loaded by users.

Solution: Apply the following patch or update to Qt 6.8.7 or Qt 6.10.2 or later:

Patches:

dev: https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273

6.10: https://codereview.qt-project.org/c/qt/qtdeclarative/+/698876 or 
https://download.qt.io/official_releases/qt/6.10/

6.8: https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/699294 or 
https://download.qt.io/official_releases/qt/6.8/

Kind Regards,
Tuukka Kettunen
Senior Manager, Technical Support, Customer Engineering
The Qt Group


Confidential

_______________________________________________
Announce mailing list
[email protected]
https://lists.qt-project.org/listinfo/announce

-- 
Development mailing list
[email protected]
https://lists.qt-project.org/listinfo/development

[Development] [Announce] Security advisory: QML Code Injection in VectorImage Component in Qt declarative module impacts Qt

Reply via email to