[Japanese]

JVNDB-2026-000093

RPG MAKER MV and MZ vulnerable to OS command injection

Overview

RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. are game development tools, which provide "save data" facility to create a file to preserve game status and related parameters. A user can save the current game status to a save-file, and later load the file to resume playing the game.
When loading a save-file, RPG MAKER MV and MZ fail to properly treat crafted contents, and may lead to OS command injection.
  • OS Command Injection (CWE-78) - CVE-2026-56137
Shuta Ide of GMO Flatt Security Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS v4 Severity
Base Metrics: 8.4 (High) [IPA Score]
  • Access Vector (AV): Local
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): Active
  • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): High
  • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
Affected Products


Gotcha Gotcha Games Inc.
  • RPG Maker MV versions 1.6.3 and earlier
  • RPG Maker MZ versions 1.10.0 and earlier

Impact

If a user loads a specially crafted save-file, arbitrary OS command may be executed.
Solution

[Apply the Workaround]
The developer recommends the users not to load untrusted save-file.
Vendor Information

Gotcha Gotcha Games Inc.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-56137
References

  1. JVN : JVN#69681784
Revision History

  • [2026/06/30]
      Web page was published