DEBIAN-CVE-2025-14576

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-14576

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-14576.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-14576

Upstream

CVE-2025-14576

Published

2026-04-30T13:16:02.850Z

Modified

2026-05-08T12:03:26.550433Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

References

https://security-tracker.debian.org/tracker/CVE-2025-14576

Affected packages

Debian:12 / qt6-declarative

Package

Name: qt6-declarative
Purl: pkg:deb/debian/qt6-declarative?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.4.2+dfsg-1

6.4.2+dfsg-2

6.4.2+dfsg-3

6.4.2+dfsg-4

6.6.0+dfsg-1

6.6.0+dfsg-2

6.6.0+dfsg-3

6.6.1+dfsg-1

6.6.1+dfsg-2

6.6.1+dfsg-3

6.6.2+dfsg-1

6.6.2+dfsg-2

6.6.2+dfsg-3

6.6.2+dfsg-4

6.6.2+dfsg-4+hurd.1

6.7.2+dfsg-1

6.7.2+dfsg-2

6.7.2+dfsg-3

6.7.2+dfsg-4

6.7.2+dfsg-5

6.7.2+dfsg-6

6.7.2+dfsg-7

6.7.2+dfsg-8

6.7.2+dfsg-9

6.7.2+dfsg-10

6.7.2+dfsg-10+hurd.1

6.7.2+dfsg-11

6.8.2+dfsg-1

6.8.2+dfsg-2

6.8.2+dfsg-3

6.8.2+dfsg-4

6.8.2+dfsg-5

6.8.2+dfsg-6

6.8.2+dfsg-6+alpha

6.8.2+dfsg-6+hurd.1

6.8.2+dfsg-7

6.8.2+dfsg-7+m68k

6.9.1+dfsg-1

6.9.1+dfsg-2

6.9.2+dfsg-1

6.9.2+dfsg-2

6.9.2+dfsg-3

6.9.2+dfsg-4

6.9.2+dfsg-5

6.9.2+dfsg-6

6.10.2+dfsg-1

6.10.2+dfsg-2

6.10.2+dfsg-3

6.10.2+dfsg-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-14576.json"

Debian:13 / qt6-declarative

Package

Name: qt6-declarative
Purl: pkg:deb/debian/qt6-declarative?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.8.2+dfsg-7

6.8.2+dfsg-7+m68k

6.9.1+dfsg-1

6.9.1+dfsg-2

6.9.2+dfsg-1

6.9.2+dfsg-2

6.9.2+dfsg-3

6.9.2+dfsg-4

6.9.2+dfsg-5

6.9.2+dfsg-6

6.10.2+dfsg-1

6.10.2+dfsg-2

6.10.2+dfsg-3

6.10.2+dfsg-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-14576.json"

Debian:14 / qt6-declarative

Package

Name: qt6-declarative
Purl: pkg:deb/debian/qt6-declarative?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.10.2+dfsg-4

Affected versions

6.*

6.8.2+dfsg-7

6.8.2+dfsg-7+m68k

6.9.1+dfsg-1

6.9.1+dfsg-2

6.9.2+dfsg-1

6.9.2+dfsg-2

6.9.2+dfsg-3

6.9.2+dfsg-4

6.9.2+dfsg-5

6.9.2+dfsg-6

6.10.2+dfsg-1

6.10.2+dfsg-2

6.10.2+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-14576.json"