CVE-2025-65027

Name of the Vulnerable Software and Affected Versions RomM versions prior to 4.4.1 RomM version 4.4.1-beta.2

Description RomM allows users to scan, enrich, browse, and play their game collections. The software contains multiple unrestricted file upload flaws that permit authenticated users to upload malicious SVG or HTML files. Accessing these files results in stored Cross-Site Scripting (XSS). Combined with a Cross-Site Request Forgery (CSRF) misconfiguration, this can lead to full administrative account takeover, including the creation of rogue admin accounts and escalation of attacker account roles to administrator level. The vulnerability allows for the execution of embedded JavaScript when the uploaded files are accessed by a browser.

Recommendations Update RomM to version 4.4.1 or 4.4.1-beta.2.