Note that it seems to be exploited already: "Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild.".
Seeing that it's being actively exploited, this should probably block 5.12.2? See the upstream fix.
Taking the freedom to also mail email@example.com to make them aware of this - still made a public bug report as the vulnerability in Chromium is public as well.
|For Gerrit Dashboard: QTBUG-74254|
|255162,2||[Backport] CVE-2019-5786||69-based||qt/qtwebengine-chromium||Status: MERGED||+2||0|
|255187,2||Update Chromium||5.12.2||qt/qtwebengine||Status: MERGED||+2||0|
|257344,2||[Backport] CVE-2019-5786||56-based||qt/qtwebengine-chromium||Status: MERGED||+2||0|