Description
RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.
Published: 2026-06-30
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection flaw in RPG MAKER MV and MZ that allows an attacker to execute arbitrary operating system commands when a specially crafted save file is loaded. This attack can compromise confidentiality, integrity, and availability of the affected system, as the injected commands run with the privileges of the application. The weakness matches CWE-78.

Affected Systems

The affected items are RPG MAKER MV and RPG MAKER MZ by Gotcha Gotcha Games Inc. No specific version numbers are provided, so all releases may be impacted until a patch is released.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity vulnerability. Because the EPSS score is not available, the current exploitation probability cannot be quantified, but the lack of a KEV listing suggests no widespread exploitation has yet been reported. Likely, an attacker must deliver a malicious save file to the victim; the vector could be local or remote if the file can be propagated through shared storage or network access. Once the file is opened, the injected command is executed, making the attack highly destructive.

Generated by OpenCVE AI on June 30, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of RPG MAKER MV or MZ once the vendor releases a patch that removes the command injection path.
  • If no patch is available, strictly limit or disable the ability to load external save files from untrusted sources, and use file integrity checks to ensure only signatures from the vendor are accepted.
  • Implement application whitelisting or execution restriction to prevent arbitrary OS commands from being executed by the game, and monitor for abnormal command execution patterns.
  • Apply least‑privilege principles so that the game runs with minimal permissions, reducing the impact of any command that may be injected.

Generated by OpenCVE AI on June 30, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection via Malicious Save File in RPG MAKER MV and MZ

Tue, 30 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Description RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-06-30T06:02:47.607Z

Reserved: 2026-06-19T05:52:27.686Z

Link: CVE-2026-56137

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T08:30:04Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')