{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14576", "assignerOrgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "state": "PUBLISHED", "assignerShortName": "TQtC", "dateReserved": "2025-12-12T12:52:21.516Z", "datePublished": "2026-04-30T12:39:40.067Z", "dateUpdated": "2026-04-30T13:14:04.728Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "shortName": "TQtC", "dateUpdated": "2026-04-30T12:51:40.517Z"}, "title": "Possible QML code injection in VectorImage component", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "affected": [{"vendor": "The Qt Company", "product": "Qt", "platforms": ["Windows", "MacOS", "Linux", "iOS", "Android", "x86", "ARM", "64 bit", "32 bit"], "collectionURL": "https://www.qt.io/", "packageName": "qtdeclarative", "modules": ["Qt Declarative (Qt Quick)", "VectorImage Component"], "versions": [{"status": "affected", "version": "6.8.0", "lessThanOrEqual": "6.8.6", "versionType": "python"}, {"status": "affected", "version": "6.10.0", "lessThanOrEqual": "6.10.1", "versionType": "python"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*", "versionStartIncluding": "6.8.0", "versionEndIncluding": "6.8.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*", "versionStartIncluding": "6.8.0", "versionEndIncluding": "6.8.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*", "versionStartIncluding": "6.8.0", "versionEndIncluding": "6.8.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*", "versionStartIncluding": "6.8.0", "versionEndIncluding": "6.8.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*", "versionStartIncluding": "6.8.0", "versionEndIncluding": "6.8.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*", "versionStartIncluding": "6.8.0", "versionEndIncluding": "6.8.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*", "versionStartIncluding": "6.8.0", "versionEndIncluding": "6.8.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*", "versionStartIncluding": "6.8.0", "versionEndIncluding": "6.8.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*", "versionStartIncluding": "6.8.0", "versionEndIncluding": "6.8.6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*", "versionStartIncluding": "6.10.0", "versionEndIncluding": "6.10.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*", "versionStartIncluding": "6.10.0", "versionEndIncluding": "6.10.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*", "versionStartIncluding": "6.10.0", "versionEndIncluding": "6.10.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*", "versionStartIncluding": "6.10.0", "versionEndIncluding": "6.10.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*", "versionStartIncluding": "6.10.0", "versionEndIncluding": "6.10.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*", "versionStartIncluding": "6.10.0", "versionEndIncluding": "6.10.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*", "versionStartIncluding": "6.10.0", "versionEndIncluding": "6.10.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*", "versionStartIncluding": "6.10.0", "versionEndIncluding": "6.10.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*", "versionStartIncluding": "6.10.0", "versionEndIncluding": "6.10.1"}]}]}], "descriptions": [{"lang": "en", "value": "Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.</p>"}]}], "references": [{"url": "https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273", "name": "Qt Code Review - Fix for QTBUG-142556", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.4, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U"}}], "solutions": [{"lang": "en", "value": "Update to Qt 6.8.7 or Qt 6.10.2 or later. As a temporary mitigation, validate and sanitize all SVG files before loading them with VectorImage, or only load SVG files from trusted sources.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Update to Qt 6.8.7 or Qt 6.10.2 or later. As a temporary mitigation, validate and sanitize all SVG files before loading them with VectorImage, or only load SVG files from trusted sources.</p>"}]}], "credits": [{"lang": "en", "value": "Qt Development Team", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-30T13:13:55.418329Z", "id": "CVE-2025-14576", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-30T13:14:04.728Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14576", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-30T13:13:55.418329Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-30T13:13:59.958Z"}}], "cna": {"title": "Possible QML code injection in VectorImage component", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Qt Development Team"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "The Qt Company", "modules": ["Qt Declarative (Qt Quick)", "VectorImage Component"], "product": "Qt", "versions": [{"status": "affected", "version": "6.8.0", "versionType": "python", "lessThanOrEqual": "6.8.6"}, {"status": "affected", "version": "6.10.0", "versionType": "python", "lessThanOrEqual": "6.10.1"}], "platforms": ["Windows", "MacOS", "Linux", "iOS", "Android", "x86", "ARM", "64 bit", "32 bit"], "packageName": "qtdeclarative", "collectionURL": "https://www.qt.io/", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to Qt 6.8.7 or Qt 6.10.2 or later. As a temporary mitigation, validate and sanitize all SVG files before loading them with VectorImage, or only load SVG files from trusted sources.", "supportingMedia": [{"type": "text/html", "value": "<p>Update to Qt 6.8.7 or Qt 6.10.2 or later. As a temporary mitigation, validate and sanitize all SVG files before loading them with VectorImage, or only load SVG files from trusted sources.</p>", "base64": false}]}], "references": [{"url": "https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273", "name": "Qt Code Review - Fix for QTBUG-142556", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.", "supportingMedia": [{"type": "text/html", "value": "<p>Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.8.6", "versionStartIncluding": "6.8.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.8.6", "versionStartIncluding": "6.8.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.8.6", "versionStartIncluding": "6.8.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.8.6", "versionStartIncluding": "6.8.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.8.6", "versionStartIncluding": "6.8.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.8.6", "versionStartIncluding": "6.8.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.8.6", "versionStartIncluding": "6.8.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.8.6", "versionStartIncluding": "6.8.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.8.6", "versionStartIncluding": "6.8.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.10.1", "versionStartIncluding": "6.10.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.10.1", "versionStartIncluding": "6.10.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.10.1", "versionStartIncluding": "6.10.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.10.1", "versionStartIncluding": "6.10.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.10.1", "versionStartIncluding": "6.10.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.10.1", "versionStartIncluding": "6.10.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.10.1", "versionStartIncluding": "6.10.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.10.1", "versionStartIncluding": "6.10.0"}, {"criteria": "cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "6.10.1", "versionStartIncluding": "6.10.0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "shortName": "TQtC", "dateUpdated": "2026-04-30T12:51:40.517Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14576", "state": "PUBLISHED", "dateUpdated": "2026-04-30T13:14:04.728Z", "dateReserved": "2025-12-12T12:52:21.516Z", "assignerOrgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "datePublished": "2026-04-30T12:39:40.067Z", "assignerShortName": "TQtC"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qt:qtdeclarative:*:*:*:*:*:*:*:*", "matchCriteriaId": "06BB3954-EACC-4FD9-B24D-88CBC2043FC3", "versionEndExcluding": "6.8.6", "versionStartIncluding": "6.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qt:qtdeclarative:*:*:*:*:*:*:*:*", "matchCriteriaId": "68D670C7-EF6F-468E-AD32-31F9169A8A20", "versionEndExcluding": "6.10.1", "versionStartIncluding": "6.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access."}], "id": "CVE-2025-14576", "lastModified": "2026-05-05T02:57:05.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "type": "Secondary"}]}, "published": "2026-04-30T13:16:02.850", "references": [{"source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "tags": ["Patch"], "url": "https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273"}], "sourceIdentifier": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-94"}], "source": "a59d8014-47c4-4630-ab43-e1b13cbe58e3", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file", "id": "2464114", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464114"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-94", "details": ["A flaw was found in the Qt SVG module and the VectorImage component in Qt Quick. This vulnerability allows a remote attacker to inject arbitrary QML/JavaScript code by tricking a user into loading a specially crafted malicious SVG file. Successful exploitation could lead to denial of service, information disclosure, or other impacts, depending on the application's privileges and data access."], "name": "CVE-2025-14576", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Not affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "qt6", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qt", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qt3", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qt3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "qt5", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "qt5", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "qt5", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "qt6", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cluster-control-plane-machine-set-rhel9-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}], "public_date": "2026-04-30T12:39:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-14576\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-14576\nhttps://codereview.qt-project.org/c/qt/qtdeclarative/+/697273"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": ["windows", "macos", "linux", "ios", "android", "x86", "arm", "64_bit", "32_bit"], "status": "affected", "versions": {"scheme": "semver", "value": "[6.8.0,6.8.6]"}}, {"platform": ["windows", "macos", "linux", "ios", "android", "x86", "arm", "64_bit", "32_bit"], "status": "affected", "versions": {"scheme": "semver", "value": "[6.10.0,6.10.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Qt", "source": "cna", "vendor": "The Qt Company"}, "product": "qt", "vendor": "the_qt_company"}], "created": "2026-04-30T14:45:23.913560+00:00", "updated": "2026-05-02T00:30:16.079515+00:00", "vendors": ["the_qt_company", "the_qt_company$PRODUCT$qt"]}