CVE-2026-56137
Received Received - Intake

OS Command Injection in RPG Maker MV and MZ

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: JPCERT/CC

Description
RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-56137
EUVD
EUVD-2026-40256

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gotcha_gotcha_games_inc rpg_maker_mv to 1.6.4 (exc)
gotcha_gotcha_games_inc rpg_maker_mz to 1.10.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56137 is an OS command injection vulnerability found in RPG MAKER MV and MZ, game development tools by Gotcha Gotcha Games Inc.

The vulnerability occurs when a user loads a specially crafted save-file, which can cause arbitrary operating system commands to be executed.

Impact Analysis

If you load a maliciously crafted save-file from an untrusted source, arbitrary OS commands may be executed on your system.

This can lead to crashes or potentially allow an attacker to execute harmful commands on your computer.

To mitigate this risk, it is advised to avoid loading save data, games, or assets from unknown or untrusted sources such as social media, online forums, or file-sharing services.

Users should rely on their own save data or trusted sources to maintain safety.

Detection Guidance

This vulnerability is triggered by loading a specially crafted save-file in RPG MAKER MV or MZ, which leads to arbitrary OS command execution.

There are no specific detection commands or network-based detection methods provided in the available information.

The recommended approach is to monitor and control the source of save-files being loaded, ensuring only trusted and verified save-files are used.

Mitigation Strategies

To mitigate this vulnerability, avoid loading save-files from untrusted or unknown sources such as social media, online forums, or file-sharing services.

Use only save-files that you have created yourself or obtained from trusted sources.

RPG Maker has issued warnings and plans to strengthen safety advisories through their products, manuals, and social media to promote safer usage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56137. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart