ROMM - Browse /4.4.1 at SourceForge.net

The interactive file manager requires Javascript. Please enable it or use sftp or scp.
You may still browse the files here.

Name	Modified	Size	InfoDownloads / Week
Parent folder
4.4.1 source code.tar.gz	2025-11-19	23.2 MB	0
4.4.1 source code.zip	2025-11-19	120.6 MB	0
README.md	2025-11-19	4.2 kB	0
Totals: 3 Items		143.8 MB	0

[!CAUTION] This release patches two high (CVE-2025-65027 and CVE-2025-65097) and one moderate (CVE-2025-65096) severity vulnerabilities. An attacker who already has an account (with any role) on the instance can, with a special crafted link, gain full administrative control, create a new admin account, or escalate their own privileges. All previous versions are affected, and all server owners should update to this version as soon as possible.

As a precaution, users may be kicked out of their logged-in session when first accessing the app, editing a game or running a scan, which will regenerate session and CSRF cookies. This should only happen once.

Private or single-user instances are not at risk. Server owners should treat any links to RomM from users as suspicious. Further details will be published in 14 days to give server owners time to upgrade.

Minor changes

[ROMM-2650] Add FPKGi support for PS4/PS5 by @gantoine in https://github.com/rommapp/romm/pull/2663
Use internal SHA1 hash if CHD file is v5 by @sftwninja in https://github.com/rommapp/romm/pull/2678
Add French translations for Metadata Sources page by @tvdu29 in https://github.com/rommapp/romm/pull/2684
Add translations for ROM management dialogs by @tvdu29 in https://github.com/rommapp/romm/pull/2686
Add Czech locale by @Slabak007 in https://github.com/rommapp/romm/pull/2693

Fixes

remove ge on tinfoil releaseDate and let field_validator fix it by @gantoine in https://github.com/rommapp/romm/pull/2630
[ROMM-2628] Fix desirialize job func_name by @gantoine in https://github.com/rommapp/romm/pull/2637
[HOTFIX] Fix importing media from gamelist.xml by @gantoine in https://github.com/rommapp/romm/pull/2636
[ROMM-2639][ROMM-2627] Stop running scans during migration by @gantoine in https://github.com/rommapp/romm/pull/2644
[ROMM-2645] Wrap items in feeds with double quotes by @gantoine in https://github.com/rommapp/romm/pull/2647
[ROMM-2648] Encode filename of download URLs in feeds endpoints by @gantoine in https://github.com/rommapp/romm/pull/2649
[ROMM-2654] Fix manually uploading manual by @gantoine in https://github.com/rommapp/romm/pull/2661
[HOTFIX] Set all v-avatar to text to remove flat background color by @gantoine in https://github.com/rommapp/romm/pull/2662
[ROMM-2657] Safe access env vars with defaults by @gantoine in https://github.com/rommapp/romm/pull/2664
[HOTFIX] _mask_sensitive_values should check for null values by @gantoine in https://github.com/rommapp/romm/pull/2670
[ROMM-2669] Reset url_cover and url_manual to rom value if unchanged by @gantoine in https://github.com/rommapp/romm/pull/2671
[HOTFIX] Fix flashpoint match by UUID by @gantoine in https://github.com/rommapp/romm/pull/2681
[ROMM-2679] Stop force to string url_manual by @gantoine in https://github.com/rommapp/romm/pull/2682
Fix multipart strings by @gantoine in https://github.com/rommapp/romm/pull/2688
Fix CSRF failure on first admin signup by @gantoine in https://github.com/rommapp/romm/pull/2691

Other changes

Bump fastapi, starlette and fastapi-pagination by @gantoine in https://github.com/rommapp/romm/pull/2634
Corrects the indentation level of the "media" list in config.example.yml by @LouiseRipley in https://github.com/rommapp/romm/pull/2643
Bump js-yaml from 4.1.0 to 4.1.1 in /frontend by @dependabot[bot] in https://github.com/rommapp/romm/pull/2659
Add github action to update HLTB API url by @gantoine in https://github.com/rommapp/romm/pull/2683
Implement CSRF middleware directly in repo by @gantoine in https://github.com/rommapp/romm/pull/2687