CVE-2025-14576
Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through
CVSS
7.8
High
EPSS
0.2%
p13
KEV
—
Exploit Today
4
0-100
Published: Apr 30, 2026 · Last modified: Jul 15, 2026 · CWE-20 · CWE-94
0.2%EPSS · 30 days0.2%
2026-06-302026-07-18
Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.
- codereview.qt-project.orghttps://codereview.qt-project.org/c/qt/qtdeclarative/+/697273
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20567
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24987
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7620
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7846
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2025-14576
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2464114
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14576.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-32489.8 CRI100.0%
KEV—80Langflow Missing Authentication Vulnerability4dCVE-2026-341978.8 HIG99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability4dCVE-2026-154107.2 HIG71.1%
KEV—71SonicWall SMA1000 Appliances Code Injection Vulnerability3dCVE-2026-125699.8 CRI66.0%
KEV—70PTC Windchill and FlexPLM Improper Input Validation Vulnerability18dCVE-2025-670389.8 CRI55.3%
KEV—67Lantronix EDS5000 Code Injection Vulnerability12dCVE-2021-416539.8 CRI99.5%
——30The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.10d