JVNDB-2026-000093

Vulnerability from jvndb - Published: 2026-06-30 18:07 - Updated:2026-06-30 18:07
Severity
Summary
RPG MAKER MV and MZ vulnerable to OS command injection
Details
RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. are game development tools, which provide "save data" facility to create a file to preserve game status and related parameters. A user can save the current game status to a save-file, and later load the file to resume playing the game. When loading a save-file, RPG MAKER MV and MZ fail to properly treat crafted contents, and may lead to OS command injection.
  • OS Command Injection (CWE-78) - CVE-2026-56137
Shuta Ide of GMO Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Show details on JVN DB website

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000093.html",
  "dc:date": "2026-06-30T18:07+09:00",
  "dcterms:issued": "2026-06-30T18:07+09:00",
  "dcterms:modified": "2026-06-30T18:07+09:00",
  "description": "RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. are game development tools, which provide \"save data\" facility to create a file to preserve game status and related parameters. A user can save the current game status to a save-file, and later load the file to resume playing the game.\r\nWhen loading a save-file, RPG MAKER MV and MZ fail to properly treat crafted contents, and may lead to OS command injection.\u003ca href=\u0027https://cwe.mitre.org/data/definitions/78.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003cul\u003e\u003cli\u003eOS Command Injection (CWE-78) - CVE-2026-56137\u003c/li\u003e\u003c/ul\u003eShuta Ide of GMO Flatt Security Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000093.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:misc:gotcha_gotcha_games_rpg_maker_mv",
      "@product": "RPG Maker MV",
      "@vendor": "Gotcha Gotcha Games Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:misc:gotcha_gotcha_games_rpg_maker_mz",
      "@product": "RPG Maker MZ",
      "@vendor": "Gotcha Gotcha Games Inc.",
      "@version": "2.2"
    }
  ],
  "sec:cvss": {
    "@score": "7.8",
    "@severity": "High",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2026-000093",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN69681784/index.html",
      "@id": "JVN#69681784",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2026-56137",
      "@id": "CVE-2026-56137",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-78",
      "@title": "OS Command Injection(CWE-78)"
    }
  ],
  "title": "RPG MAKER MV and MZ vulnerable to OS command injection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…