Description
Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.
References (1)
Core 1
Core References
Patch patch
Qt Code Review - Fix for QTBUG-142556
https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273
Scores
CVSS v3
7.8
EPSS
0.0022
EPSS Percentile
12.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
CWE-94
Status
published
Products (3)
qt/qtdeclarative
6.8.0 - 6.8.6
The Qt Company/Qt
6.10.0 - 6.10.1
The Qt Company/Qt
6.8.0 - 6.8.6
Published
Apr 30, 2026
Tracked Since
Apr 30, 2026