CVE-2025-65027

EPSS 0.02%
Veröffentlicht 03.12.2025 19:36:02
Zuletzt bearbeitet 24.02.2026 20:04:06
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Romm.App ≫ Romm Version < 4.4.1

Romm.App ≫ Romm Version4.4.1 Updatebeta1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.058

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.6	2.1	5.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/rommapp/romm/security/advisories/GHSA-v3c6-w996-f7hx

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2025-65027

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-65027

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-65027

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-65027