{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T12:08:13.252","vulnerabilities":[{"cve":{"id":"CVE-2025-53908","sourceIdentifier":"security-advisories@github.com","published":"2025-07-16T20:15:24.857","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the `/api/raw` endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official implementation, may be affected. This allows the leakage of passwords and users that may be stored on the system. Versions 3.10.3 and 4.0.0-beta.3 contain a patch."},{"lang":"es","value":"RomM es un gestor y reproductor de ROM autoalojado. Las versiones anteriores a la 3.10.3 y 4.0.0-beta.3 presentan una vulnerabilidad de path traversal autenticadas en el endpoint `/api/raw`. Cualquiera que ejecute la última versión de RomM y tenga varios usuarios, incluso sin privilegios, como el usuario de kiosco en la implementación oficial, podría verse afectado. Esto permite la filtración de contraseñas y usuarios almacenados en el sistema. Las versiones 3.10.3 y 4.0.0-beta.3 incluyen un parche."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-26"}]}],"references":[{"url":"https://github.com/rommapp/romm/blob/4.0.0-beta.2/backend/endpoints/raw.py#L31","source":"security-advisories@github.com"},{"url":"https://github.com/rommapp/romm/commit/7c94cb05e74ddb6a6af7b82320686c01754e9966","source":"security-advisories@github.com"},{"url":"https://github.com/rommapp/romm/commit/baa1a9759079c36e36a9f10c920c46b57d0b6151","source":"security-advisories@github.com"},{"url":"https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3","source":"security-advisories@github.com"},{"url":"https://github.com/rommapp/romm/security/advisories/GHSA-fx9g-xw4j-jwc3","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}]}