CVE-2025-14575 PUBLISHED

Uncontrolled Search Path Element in Qt Network OpenSSL TLS backend allows rogue CA certificate loading

Assigner: TQtC
Reserved: 12.12.2025 Published: 19.05.2026 Updated: 19.05.2026

An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a local attacker to load a rogue CA certificate as a trusted system authority via a crafted certificate file placed in the application's working directory.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 1.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	Low	Confidentiality	None
Attack Complexity	High	Integrity	Low	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	The Qt Company
Product	Qt
Versions	Default: unaffected affected from 5.0.0 to 5.15.19 (incl.) affected from 6.0.0 to 6.5.9 (incl.) affected from 6.6.0 to 6.8.3 (incl.) affected from 6.9.0 to 6.9.1 (incl.)

References

Gerrit: QSslCertificate::fromPath — reject empty path strings (Qt 6.9.2+)

Problem Types

CWE-427: Uncontrolled Search Path Element CWE

Impacts

CAPEC-38 Leveraging/Manipulating Configuration File Search Paths