JVN#69681784
RPG MAKER MV and MZ vulnerable to OS command injection
Overview
RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability.
Products Affected
- RPG MAKER MV versions 1.6.3 and earlier
- RPG MAKER MZ versions 1.10.0 and earlier
Description
RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. are game development tools, which provide "save data" facility to create a file to preserve game status and related parameters. A user can save the current game status to a save-file, and later load the file to resume playing the game.
When loading a save-file, RPG MAKER MV and MZ fail to properly treat crafted contents, and may lead to OS command injection.
- OS Command Injection (CWE-78)
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
- CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
- CVE-2026-56137
Impact
If a user loads a specially crafted save-file, arbitrary OS command may be executed.
Solution
Apply the Workaround
The developer recommends the users not to load untrusted save-file.
Vendor Status
| Vendor | Link |
| Gotcha Gotcha Games Inc. | Notice Regarding the Handling of Games, Save Data, and Assets from Unknown Sources |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Shuta Ide of GMO Flatt Security Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2026-56137 |
| JVN iPedia |
JVNDB-2026-000093 |