CVE-2025-65027 is a vulnerability in RomM (ROM Manager), a software application used for managing game collections. The flaw arises from multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files containing embedded JavaScript. When these files are accessed by other users or administrators, the browser executes the embedded scripts, resulting in stored Cross-Site Scripting (XSS). Stored XSS enables attackers to execute arbitrary JavaScript in the context of the victim’s browser session, potentially stealing session tokens, manipulating the DOM, or performing actions on behalf of the user. The vulnerability is exacerbated by a Cross-Site Request Forgery (CSRF) misconfiguration, which allows attackers to leverage the stored XSS to perform unauthorized actions without user consent. This combination enables attackers to escalate privileges from authenticated user to administrator, create rogue admin accounts, and fully compromise the application’s administrative functions. The vulnerability impacts versions of RomM prior to 4.4.1-beta.2 and was assigned a CVSS v3.1 score of 7.6, indicating high severity. The attack vector is network-based, requiring low attack complexity, with privileges required at the user level and some user interaction. The vulnerability affects confidentiality (partial), integrity (high), and availability (high) of the system. Although no known exploits are currently reported in the wild, the potential impact is significant. The vendor has addressed the issue in versions 4.4.1 and 4.4.1-beta.2 by fixing the file upload validation and CSRF protections.

For European organizations using RomM, this vulnerability poses a significant risk of unauthorized administrative access and control over the application. Attackers could manipulate game collections, alter data integrity, or disrupt service availability. The stored XSS combined with CSRF can lead to full account takeover, allowing attackers to create rogue admin accounts and escalate privileges, potentially compromising sensitive user data and internal systems linked to RomM. Organizations in sectors with high gaming or digital entertainment usage, such as Germany, France, and the UK, may face increased exposure. The breach of administrative controls could also facilitate lateral movement within networks, increasing the risk of broader compromise. Additionally, regulatory compliance risks arise if personal data is exposed or manipulated, potentially violating GDPR requirements. The absence of known exploits in the wild reduces immediate risk but should not lead to complacency given the ease of exploitation and high impact.

European organizations should immediately upgrade RomM to version 4.4.1 or later to apply the vendor’s patch. In addition, implement strict server-side validation to restrict file upload types, disallowing SVG and HTML files unless absolutely necessary, and sanitize all uploaded content to prevent embedded scripts. Employ Content Security Policy (CSP) headers to limit script execution contexts and reduce XSS impact. Harden CSRF protections by ensuring anti-CSRF tokens are properly implemented and validated for all state-changing requests. Conduct regular security audits and penetration testing focusing on file upload functionalities and session management. Educate users about phishing and social engineering risks that could facilitate exploitation. Monitor logs for suspicious file uploads and unusual administrative activities. Consider network segmentation to isolate RomM servers and limit potential lateral movement in case of compromise. Finally, maintain an incident response plan tailored to web application attacks involving privilege escalation.