Search
Find a vulnerability
Search criteria
3 vulnerabilities by Gotcha Gotcha Games Inc.
JVNDB-2026-000093
Vulnerability from jvndb - Published: 2026-06-30 18:07 - Updated:2026-06-30 18:07
Severity
Summary
RPG MAKER MV and MZ vulnerable to OS command injection
Details
RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. are game development tools, which provide "save data" facility to create a file to preserve game status and related parameters. A user can save the current game status to a save-file, and later load the file to resume playing the game.
When loading a save-file, RPG MAKER MV and MZ fail to properly treat crafted contents, and may lead to OS command injection.
- OS Command Injection (CWE-78) - CVE-2026-56137
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000093.html",
"dc:date": "2026-06-30T18:07+09:00",
"dcterms:issued": "2026-06-30T18:07+09:00",
"dcterms:modified": "2026-06-30T18:07+09:00",
"description": "RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. are game development tools, which provide \"save data\" facility to create a file to preserve game status and related parameters. A user can save the current game status to a save-file, and later load the file to resume playing the game.\r\nWhen loading a save-file, RPG MAKER MV and MZ fail to properly treat crafted contents, and may lead to OS command injection.\u003ca href=\u0027https://cwe.mitre.org/data/definitions/78.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003cul\u003e\u003cli\u003eOS Command Injection (CWE-78) - CVE-2026-56137\u003c/li\u003e\u003c/ul\u003eShuta Ide of GMO Flatt Security Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000093.html",
"sec:cpe": [
{
"#text": "cpe:/a:misc:gotcha_gotcha_games_rpg_maker_mv",
"@product": "RPG Maker MV",
"@vendor": "Gotcha Gotcha Games Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/a:misc:gotcha_gotcha_games_rpg_maker_mz",
"@product": "RPG Maker MZ",
"@vendor": "Gotcha Gotcha Games Inc.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2026-000093",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN69681784/index.html",
"@id": "JVN#69681784",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-56137",
"@id": "CVE-2026-56137",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
}
],
"title": "RPG MAKER MV and MZ vulnerable to OS command injection"
}
CVE-2026-56137 (GCVE-0-2026-56137)
Vulnerability from nvd – Published: 2026-06-30 06:02 – Updated: 2026-06-30 12:53
VLAI
Summary
RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Gotcha Gotcha Games Inc. | RPG MAKER MV |
Affected:
1.6.3 and earlier
|
|
| Gotcha Gotcha Games Inc. | RPG MAKER MZ |
Affected:
1.10.0 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T12:53:07.509137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:53:15.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RPG MAKER MV",
"vendor": "Gotcha Gotcha Games Inc.",
"versions": [
{
"status": "affected",
"version": "1.6.3 and earlier"
}
]
},
{
"product": "RPG MAKER MZ",
"vendor": "Gotcha Gotcha Games Inc.",
"versions": [
{
"status": "affected",
"version": "1.10.0 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T06:02:47.607Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://rpgmakerofficial.com/en/news/4188/"
},
{
"url": "https://rpgmakerofficial.com/news/4183/"
},
{
"url": "https://jvn.jp/en/jp/JVN69681784/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-56137",
"datePublished": "2026-06-30T06:02:47.607Z",
"dateReserved": "2026-06-19T05:52:27.686Z",
"dateUpdated": "2026-06-30T12:53:15.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56137 (GCVE-0-2026-56137)
Vulnerability from cvelistv5 – Published: 2026-06-30 06:02 – Updated: 2026-06-30 12:53
VLAI
Summary
RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Gotcha Gotcha Games Inc. | RPG MAKER MV |
Affected:
1.6.3 and earlier
|
|
| Gotcha Gotcha Games Inc. | RPG MAKER MZ |
Affected:
1.10.0 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T12:53:07.509137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:53:15.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RPG MAKER MV",
"vendor": "Gotcha Gotcha Games Inc.",
"versions": [
{
"status": "affected",
"version": "1.6.3 and earlier"
}
]
},
{
"product": "RPG MAKER MZ",
"vendor": "Gotcha Gotcha Games Inc.",
"versions": [
{
"status": "affected",
"version": "1.10.0 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T06:02:47.607Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://rpgmakerofficial.com/en/news/4188/"
},
{
"url": "https://rpgmakerofficial.com/news/4183/"
},
{
"url": "https://jvn.jp/en/jp/JVN69681784/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-56137",
"datePublished": "2026-06-30T06:02:47.607Z",
"dateReserved": "2026-06-19T05:52:27.686Z",
"dateUpdated": "2026-06-30T12:53:15.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}