{"rewrite":{"id":"r_46bd95ff2d281245c3be3b55","clusterId":"c_770108d8a23a385fde3d2b85","slug":"rpg-maker-mv-and-mz-have-a-critical-os-command-injection-vulnerability","model":"deepseek-v4-flash","headline":"RPG Maker MV and MZ Have a Critical OS Command Injection Vulnerability","summary":"Japan Vulnerability Notes reported a vulnerability in RPG Maker MV and MZ that allows arbitrary OS command execution via crafted save data. Developer Gotcha Gotcha Games has warned users not to load games, saves, or assets from untrusted sources. No patch has been released yet.","whyItMatters":"The vulnerability affects all current versions of two widely used game development tools, leaving a large number of user-created games and their players at risk until a fix arrives.","webCardHtml":"\u003cp\u003eJapan Vulnerability Notes disclosed a vulnerability in RPG Maker MV and MZ on June 30 that could let an attacker execute arbitrary OS commands by loading a malicious save file. Gotcha Gotcha Games, the developer of the tools, responded with a warning rather than a patch: users should only load games, save data, and assets they trust. The affected versions are RPG Maker MV 1.6.3 and earlier, and RPG Maker MZ 1.10.0 and earlier. Since no update has been released, the company recommends players use only save data they created themselves and avoid files from social media, file-sharing services, or unknown third parties. The vulnerability is tracked as JVN#69681784.\u003c/p\u003e","blueskyPost":"The vulnerability in RPG Maker MV and MZ exploits the engine's own save-load system. Until a patch ships, the only defense is user vigilance against untrusted content.","twitterPost":"RPG Maker MV and MZ's OS command injection uses save data as an attack vector. No patch yet.","threadsPost":"RPG Maker MV and MZ have a vulnerability that executes arbitrary OS commands through crafted save data. Gotcha Gotcha Games hasn't released a patch. The only mitigation is avoiding untrusted games, saves, and assets.","newsletterBlurb":"Japan Vulnerability Notes reported a serious vulnerability in RPG Maker MV and MZ that allows arbitrary OS command execution via crafted save data. Gotcha Gotcha Games has issued a warning but no patch. Users should only load trusted files.","attributionJson":"[{\"source\":\"Automaton\",\"url\":\"https://automaton-media.com/articles/newsjp/20260701-452738/\",\"title\":\"Vulnerability of arbitrary command execution reported in RPG Maker MV/MZ. Official warns not to use suspicious games, saves, or assets.\"}]","lintFlagsJson":null,"lintHits":0,"costUsd":0,"inputTokens":3995,"outputTokens":506,"status":"published","repairAttempts":0,"nextRepairAt":null,"factsAttemptedAt":1782878454,"createdAt":"2026-07-01T03:50:44.000Z","publishedAt":"2026-07-01T03:54:50.000Z","updatedAt":"2026-07-01T03:54:50.000Z"},"cluster":{"id":"c_770108d8a23a385fde3d2b85","canonicalTitle":"「RPGツクールMV/MZ」にて、“任意コマンド実行”の脆弱性が報告される。公式は「不審なゲーム・セーブ・素材」を使わないよう注意喚起","representativeArticleId":"a_590d2cd8c9f84bba5f05b1fa","sourceCount":1,"writtenSourceCount":1,"writeAttempts":0,"isSolo":true,"entitiesJson":"{\"anime_titles\":[],\"manga_titles\":[],\"work_titles\":[\"RPGツクールMV\",\"RPGツクールMZ\"],\"studios\":[],\"people\":[],\"type\":\"news\",\"domain\":\"games\",\"is_roundup\":false}","contentType":"news","status":"published","firstSeenAt":"2026-07-01T03:11:52.000Z","lastSeenAt":"2026-07-01T03:11:52.000Z","updatedAt":"2026-07-01T03:54:51.000Z"},"attribution":[{"source":"Automaton","url":"https://automaton-media.com/articles/newsjp/20260701-452738/","title":"「RPGツクールMV/MZ」にて、“任意コマンド実行”の脆弱性が報告される。公式は「不審なゲーム・セーブ・素材」を使わないよう注意喚起"}],"entities":{"anime_titles":[],"manga_titles":[],"work_titles":["RPGツクールMV","RPGツクールMZ"],"studios":[],"people":[],"type":"news","domain":"games","is_roundup":false},"keyFacts":["Japan Vulnerability Notes disclosed a vulnerability in RPG Maker MV and MZ on June 30 that allows arbitrary OS command execution via a malicious save file.","Gotcha Gotcha Games has not released a patch and instead warns users to only load games, saves, and assets from trusted sources.","The affected versions are RPG Maker MV 1.6.3 and earlier, and RPG Maker MZ 1.10.0 and earlier.","The company recommends players use only save data they created themselves and avoid files from social media, file-sharing services, or unknown third parties.","The vulnerability is tracked as JVN#69681784."]}
