VYPR
Unrated severityNVD Advisory· Published Dec 3, 2025· Updated Dec 3, 2025

RomM Insecure Direct Object Reference (IDOR) Allows Unauthorized Access to Private Collections

CVE-2025-65096

Description

RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Rommapp/Rommllm-fuzzy2 versions
    <4.4.1+ 1 more
    • (no CPE)range: <4.4.1
    • (no CPE)range: < 4.4.1-beta.2

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.