Skip to main content

RPG Maker EUVDEUVD-2026-40256

| CVE-2026-56137 HIGH
OS Command Injection (CWE-78)
2026-06-30 jpcert GHSA-f7jr-jmf8-58m2
8.4
CVSS 4.0 · Vendor: jpcert
Share

Severity by source

Vendor (jpcert) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local save-file load with no auth gives AV:L/AC:L/PR:N; victim must open the file (UI:R); arbitrary command execution yields full C:H/I:H/A:H with unchanged scope.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (jpcert).

CVSS VectorVendor: jpcert

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 07:32 vuln.today
CVSS changed
Jun 30, 2026 - 07:22 NVD
7.8 (HIGH) 8.4 (HIGH)

DescriptionCVE.org

RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.

AnalysisAI

Arbitrary OS command execution in RPG Maker MV and MZ (Gotcha Gotcha Games) is triggered when a victim loads a maliciously crafted save-file, allowing an attacker to run commands with the privileges of the game process. The flaw is a classic OS command injection (CWE-78) reported through JPCERT/JVN; no public exploit has been identified at time of analysis and it is not in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious save-file with injected commands
Delivery
Distribute as shared/cheat save
Exploit
Victim loads save in RPG Maker MV/MZ
Execution
Engine passes save data to OS shell
Impact
Arbitrary command executes as user

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively load a specially crafted save-file into RPG Maker MV or MZ (or a game running on the vulnerable engine) - that load action is the exact trigger named in the advisory and maps to the CVSS UI:A and AV:L metrics. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, score 8.4) describes a high-impact but local, user-interaction-dependent flaw: an attacker cannot reach it over the network and must convince a victim to load a crafted save-file. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious RPG Maker save-file embedding shell metacharacters in a field the engine later passes to an OS command, then distributes it as a 'cheat save' or 'continue from here' file on a game forum or chat. When the victim loads the save in RPG Maker MV/MZ (or a game built on the vulnerable runtime), the embedded command executes with the user's privileges. …
Remediation Update RPG Maker MV and MZ to the fixed releases announced by Gotcha Gotcha Games; the exact patched version is not stated in the supplied data, so consult the vendor advisories at https://rpgmakerofficial.com/en/news/4188/ and https://rpgmakerofficial.com/news/4183/ and the JVN advisory at https://jvn.jp/en/jp/JVN69681784/ for the precise build numbers before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all RPG Maker MV and MZ installations within your development and operational environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40256 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy