diff --git a/cmake/QtPublicSbomHelpers.cmake b/cmake/QtPublicSbomHelpers.cmake
index a0a84085c0d..779aedd201c 100644
--- a/cmake/QtPublicSbomHelpers.cmake
+++ b/cmake/QtPublicSbomHelpers.cmake
@@ -673,13 +673,18 @@ function(_qt_internal_sbom_add_target target)
 
     if(arg_CPE)
         list(APPEND project_package_options CPE "${arg_CPE}")
-    elseif(arg_CPE_VENDOR AND arg_CPE_PRODUCT)
+    endif()
+    if(arg_CPE_VENDOR AND arg_CPE_PRODUCT)
         _qt_internal_sbom_compute_security_cpe(custom_cpe
             VENDOR "${arg_CPE_VENDOR}"
             PRODUCT "${arg_CPE_PRODUCT}"
             VERSION "${package_version}")
         list(APPEND project_package_options CPE "${custom_cpe}")
-    elseif(is_qt_entity_type)
+    endif()
+    if(qa_cpe)
+        list(APPEND project_package_options CPE "${qa_cpe}")
+    endif()
+    if(is_qt_entity_type)
         _qt_internal_sbom_compute_security_cpe_for_qt(cpe_list)
         list(APPEND project_package_options CPE "${cpe_list}")
     endif()
@@ -2246,6 +2251,7 @@ function(_qt_internal_sbom_read_qt_attribution out_prefix)
         _qt_internal_sbom_get_attribution_key(Copyright copyrights "${out_prefix}")
         _qt_internal_sbom_get_attribution_key(CopyrightFile copyright_file "${out_prefix}")
         _qt_internal_sbom_get_attribution_key(UpstreamPURL upstream_purl "${out_prefix}")
+        _qt_internal_sbom_get_attribution_key(CPE cpe "${out_prefix}")
 
         # In some attribution files (like harfbuzz) Copyright contains an array of copyrights rather
         # than a single string. Extract all of them.