Search

Find a vulnerability

Search criteria

    3 vulnerabilities by Gotcha Gotcha Games Inc.

    JVNDB-2026-000093

    Vulnerability from jvndb - Published: 2026-06-30 18:07 - Updated:2026-06-30 18:07
    Severity
    Summary
    RPG MAKER MV and MZ vulnerable to OS command injection
    Details
    RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. are game development tools, which provide "save data" facility to create a file to preserve game status and related parameters. A user can save the current game status to a save-file, and later load the file to resume playing the game. When loading a save-file, RPG MAKER MV and MZ fail to properly treat crafted contents, and may lead to OS command injection.
    • OS Command Injection (CWE-78) - CVE-2026-56137
    Shuta Ide of GMO Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000093.html",
      "dc:date": "2026-06-30T18:07+09:00",
      "dcterms:issued": "2026-06-30T18:07+09:00",
      "dcterms:modified": "2026-06-30T18:07+09:00",
      "description": "RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. are game development tools, which provide \"save data\" facility to create a file to preserve game status and related parameters. A user can save the current game status to a save-file, and later load the file to resume playing the game.\r\nWhen loading a save-file, RPG MAKER MV and MZ fail to properly treat crafted contents, and may lead to OS command injection.\u003ca href=\u0027https://cwe.mitre.org/data/definitions/78.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003cul\u003e\u003cli\u003eOS Command Injection (CWE-78) - CVE-2026-56137\u003c/li\u003e\u003c/ul\u003eShuta Ide of GMO Flatt Security Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000093.html",
      "sec:cpe": [
        {
          "#text": "cpe:/a:misc:gotcha_gotcha_games_rpg_maker_mv",
          "@product": "RPG Maker MV",
          "@vendor": "Gotcha Gotcha Games Inc.",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/a:misc:gotcha_gotcha_games_rpg_maker_mz",
          "@product": "RPG Maker MZ",
          "@vendor": "Gotcha Gotcha Games Inc.",
          "@version": "2.2"
        }
      ],
      "sec:cvss": {
        "@score": "7.8",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2026-000093",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN69681784/index.html",
          "@id": "JVN#69681784",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2026-56137",
          "@id": "CVE-2026-56137",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-78",
          "@title": "OS Command Injection(CWE-78)"
        }
      ],
      "title": "RPG MAKER MV and MZ vulnerable to OS command injection"
    }

    CVE-2026-56137 (GCVE-0-2026-56137)

    Vulnerability from nvd – Published: 2026-06-30 06:02 – Updated: 2026-06-30 12:53
    VLAI
    Summary
    RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56137",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-30T12:53:07.509137Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:53:15.013Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "RPG MAKER MV",
              "vendor": "Gotcha Gotcha Games Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.6.3 and earlier"
                }
              ]
            },
            {
              "product": "RPG MAKER MZ",
              "vendor": "Gotcha Gotcha Games Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.10.0 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T06:02:47.607Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://rpgmakerofficial.com/en/news/4188/"
            },
            {
              "url": "https://rpgmakerofficial.com/news/4183/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN69681784/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2026-56137",
        "datePublished": "2026-06-30T06:02:47.607Z",
        "dateReserved": "2026-06-19T05:52:27.686Z",
        "dateUpdated": "2026-06-30T12:53:15.013Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56137 (GCVE-0-2026-56137)

    Vulnerability from cvelistv5 – Published: 2026-06-30 06:02 – Updated: 2026-06-30 12:53
    VLAI
    Summary
    RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56137",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-30T12:53:07.509137Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:53:15.013Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "RPG MAKER MV",
              "vendor": "Gotcha Gotcha Games Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.6.3 and earlier"
                }
              ]
            },
            {
              "product": "RPG MAKER MZ",
              "vendor": "Gotcha Gotcha Games Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.10.0 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T06:02:47.607Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://rpgmakerofficial.com/en/news/4188/"
            },
            {
              "url": "https://rpgmakerofficial.com/news/4183/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN69681784/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2026-56137",
        "datePublished": "2026-06-30T06:02:47.607Z",
        "dateReserved": "2026-06-19T05:52:27.686Z",
        "dateUpdated": "2026-06-30T12:53:15.013Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }