CVE-2025-65027 HIGH

CVE-2025-65027: RomM Chained XSS and CSRF Vulnerabilities Enable Admin Account Takeover

Vendor Rommapp
Product romm
Weakness CWE-79 · XSS
Published December 3, 2025
Last update December 3, 2025

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H

What the vulnerability does

01Description

RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.

Key dates

02Disclosure timeline

December 3, 2025 CVE published
December 3, 2025 Record updated

Related vulnerabilities

04Related CVE