Insufficient validation of node identifiers in the Qt SVG module allows an attacker to embed and execute arbitrary QML or JavaScript code when a malicious SVG file is loaded with the VectorImage component. Although execution is limited to the QML environment, it can still lead to denial of service, information disclosure, or other impacts depending on the privileges of the running application.

The vulnerability affects applications built with Qt 6, specifically the Qt Quick and Qt SVG modules across all supported platforms (32‑bit, 64‑bit, Android, ARM, iOS, Linux, macOS, Windows, and x86). Versions prior to Qt 6.8.7 or Qt 6.10.2 are vulnerable; the security fix is available in Qt 6.8.7, Qt 6.10.2, and later releases.

The CVSS score of 7.4 indicates a high severity. EPSS is not available, so the probability of exploitation at this time is unknown, and the vulnerability is not listed in the CISA KEV catalog. Because the raw SVG file can be supplied by an untrusted source or remote server, it is reasonable to infer a network-facing attack vector. Exploitation requires delivering a crafted SVG file that references a node ID triggering QML code execution; the impact is limited to the application’s context but can still be significant.