Qt SVG Module Node ID Validation Vulnerability Allowing Code Injection via Malicious SVG Files

Vulnerability

A vulnerability in the Qt SVG module has been identified, stemming from inadequate validation of node IDs. This flaw enables the injection of arbitrary QML or JavaScript code when malicious SVG files are loaded through the VectorImage component in Qt Quick. Although QML execution is generally more limited than native code execution, this vulnerability could still result in denial of service, information disclosure, or other impacts, depending on the application's privilege level and data access.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution in QML or JavaScript, with potential consequences including denial of service, information disclosure, or other impacts based on the application's privileges and data access.

Added: Apr 30, 2026, 1:23 PM

Updated: Apr 30, 2026, 1:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.9

remediation

0.0

relevance

7.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.9

remediation

0.0

relevance

7.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Qt SVG Module Node ID Validation Vulnerability Allowing Code Injection via Malicious SVG Files

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating