[Development] [Announce] Security advisory: QML Code Injection in VectorImage Component in Qt declarative module impacts Qt

List for announcements regarding Qt releases and development via Announce announce at qt-project.org
Thu Apr 30 15:21:13 CEST 2026 

Improper Control of Generation of Code ('Code Injection') vulnerability in the VectorImage component of the Qt declarative module has been discovered and has been assigned the CVE id CVE-2025-14576.

Affected versions: From Qt 6.8.0 through Qt 6.8.6 and from Qt 6.10.0 through 6.10.1

Impact: Improper Control of Generation of Code ('Code Injection') vulnerability in Qt Quick on Windows, macOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows QML/JavaScript Code Injection.

This issue affects users of the VectorImage component in Qt Quick. Insufficient validation of node IDs in SVG files could allow a malicious SVG file to inject and execute arbitrary QML/JavaScript code in the application context. This requires a user to be tricked into loading a malicious SVG file. While QML execution is typically more restricted than native code execution, this could lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

CVSS 4.0 Score: 7.4 (HIGH)

Vector String:CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U

Mitigation: Only load SVG files from trusted sources when using the VectorImage component. Applications should validate and sanitize SVG content before loading, or implement additional security controls to restrict the sources of SVG files that can be loaded by users.

Solution: Apply the following patch or update to Qt 6.8.7 or Qt 6.10.2 or later:

Patches:

dev: https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273

6.10: https://codereview.qt-project.org/c/qt/qtdeclarative/+/698876 or https://download.qt.io/official_releases/qt/6.10/

6.8: https://codereview.qt-project.org/c/qt/tqtc-qtdeclarative/+/699294 or https://download.qt.io/official_releases/qt/6.8/

Kind Regards,
Tuukka Kettunen
Senior Manager, Technical Support, Customer Engineering
The Qt Group


Confidential
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20260430/17c6629b/attachment.htm>
-------------- next part --------------
_______________________________________________
Announce mailing list
Announce at qt-project.org
https://lists.qt-project.org/listinfo/announce

More information about the Development mailing list