Arbitrary file upload in Rommapp Romm

CVE-2025-54071

RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. In versions 4.0.0-beta.3 and below, an authenticated arbitrary file write vulnerability exists in the /api/saves…

Vulnerability class: Unrestricted File Upload

EPSS: 0.031 (87.0th percentile) — read the EPSS interpretation.

Affected products

Rommapp Romm — versions < 4.0.0-beta.4

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

https://github.com/rommapp/romm/security/advisories/GHSA-fgxf-hggc-qqmq (x_refsource_CONFIRM)
https://github.com/rommapp/romm/commit/89248d03805e5fabca78443dd202ff32e0b4d9f3 (x_refsource_MISC)