CVE

CVE-2025-65027

RomM Chained XSS and CSRF Vulnerabilities Enable Admin Account Takeover

CVE

CVE-2025-65027

RomM Chained XSS and CSRF Vulnerabilities Enable Admin Account Takeover

RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.6

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65027.json, https://github.com/rommapp/romm/security/advisories/GHSA-v3c6-w996-f7hx, https://nvd.nist.gov/vuln/detail/CVE-2025-65027

Severity

7.6

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.6

EPSS Probability

0.00018%

EPSS Percentile

0.03617%

Introduced Version

Fix Available

3e675f27072c44434330d2992505e264a9ca57ca

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-65027

CVE-2025-65027

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

7.6

Basic Information

Fix Critical Vulnerabilities Instantly