OS Command Injection Vulnerability in RPG MAKER MV and MZ by Gotcha Gotcha Games Inc.
CVE-2026-56137

8.4HIGH

Key Information:

Vendor: Gotcha Gotcha Games Inc.
Status: Rpg Maker Mv; Rpg Maker Mz
Vendor: CVE Published:; 30 June 2026

🔔 Create Gotcha Gotcha Games Inc. Vulnerability Alert

What is CVE-2026-56137?

RPG MAKER MV and MZ, products developed by Gotcha Gotcha Games Inc., are susceptible to an OS command injection issue. This vulnerability allows attackers to execute arbitrary operating system commands by loading specially crafted save-files, potentially compromising the security of the host system. Developers and users should be aware of this risk and implement necessary mitigations to prevent exploitation.

Affected Version(s)

RPG MAKER MV 1.6.3 and earlier

RPG MAKER MZ 1.10.0 and earlier

References

https://rpgmakerofficial.com/en/news/4188/

https://rpgmakerofficial.com/news/4183/

https://jvn.jp/en/jp/JVN69681784/

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

CVSS V3.0

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 19, 2026

CVE-2026-56137 Data

JSON