RPG Maker MV/MZ Flaw (CVE-2026-56137): Shared Save Can Hijack Your PC
Games made with RPG Maker MV/MZ have a flaw (CVE-2026-56137): loading a save someone else shared can hijack your PC. No fix yet, so don't load untrusted saves.
Table of contents
Games made with RPG Maker MV/MZ have a flaw (CVE-2026-56137): loading a save someone else shared can hijack your PC. No fix yet, so don't load untrusted saves.
A serious flaw has been found in games built with the popular Japanese game-making software "RPG Maker MV/MZ." The problem: if you load a save file that someone else shared, commands hidden inside that save can run quietly in the background and let an attacker take over your PC. The flaw is tracked as CVE-2026-56137, with a severity of 8.4 out of 10 (CVSS v4.0). Japan's vulnerability portal JVN (JVN#69681784) published it on June 30, 2026. It was found and reported by Shuta Ide of GMO Flatt Security.
One thing to be clear about: this is not a flaw that spreads automatically over the internet. For an attack to work, the user has to load a doctored save file on their own PC. Even so, RPG Maker games have a long-standing culture of swapping cleared-game data and save-editing tools, so "accidentally loading a stranger's save data" is far from rare. That is exactly why this is worth knowing about. On the same day, the developer Gotcha Gotcha Games issued an advisory titled "On handling games, save data, and assets of unknown origin."
| Item | Details |
|---|---|
| Vulnerability ID | CVE-2026-56137 |
| Affected software | Games built with RPG Maker MV (v1.6.3 and earlier) or RPG Maker MZ (v1.10.0 and earlier) |
| Severity (CVSS) | 8.4 (v4.0) / 7.8 (v3.0) |
| Attack precondition | Loading a doctored save file (no login required; user action needed) |
| Available mitigation | Don't load save data from people you don't know (no fix released yet) |
* Because commands run "when a save file is loaded," the danger comes from save data obtained externally. Save data you created during your own play is not a problem.
Who is affected, and what could happen
The people who abuse this hole are those who doctor a save file meant for sharing and get others to load it. The likely pattern: a save file is handed out with a pitch like "use this save to get powerful gear" or "this is already cleared up to the hidden post-game content," and anyone who wants it downloads it. Swapping save data to skip the grind has long been common in RPG Maker games, and that trust is what gets turned against players.
A doctored save file looks like nothing more than ordinary game progress. But hidden inside that data are commands for the PC, and the moment the game loads the save, those commands run in the background. The player thinks they "just loaded a save," while behind the screen an entirely different program has started.
The impact is severe. Being able to run arbitrary commands is effectively the same as having your PC taken over: stealing files, planting other malware, destroying data—all of it becomes possible. The main targets are players, but creators who make and distribute games are not in the clear either. If a game comes to be suspected of "being dangerous to load a save in," the trust built up over time can collapse in an instant. That is why both players and creators need to avoid casually handling save data of unclear origin.
What RPG Maker is, and why it concerns so many people
RPG Maker (known in Japan as RPG Tsukuru) is a long-running Japanese product that lets you build your own role-playing game with no programming knowledge. "MV" and "MZ," the versions in question here, are among its newer generations, and a key feature is that you can export your game for PC as well as for smartphones and browsers. A huge share of indie and free games are built with this series, and game-distribution sites and Steam are filled with countless RPG Maker titles.
In other words, this isn't only about "people who own RPG Maker." Anyone who plays a game built with RPG Maker MV/MZ may be affected. And among fans of these games, sharing "cleared data" past a hard section, or using dedicated save editors (tools that rewrite the contents of a save), is a widespread habit. It is a convenient culture, but it is the flip side of the very weakness exploited here, where "save data that came from outside" becomes the entry point for an attack.
Why loading a save file can run commands
In technical terms, this flaw is a type known as "OS command injection" (CWE-78). OS commands are instructions to the computer's operating system (Windows or macOS). When commands are slipped into something that should be treated only as data, and a program ends up running them by mistake, the whole class of attacks is called this.
PC games made with RPG Maker MV/MZ run internally on something close to a web browser. Save data is the game's progress written out as text, and on resuming, the game reads it back to restore the previous state. According to JVN's description, this loading process fails to safely handle doctored content, so commands planted in what should have been data end up being executed. Because the attack requires the user to perform the load action, the severity rating classifies it as a "local" attack rather than a "remote attack over the internet." The NVD (the U.S. vulnerability database) is also processing it under the same ID.
Are you at risk? A quick guide by situation
Here's "does this concern me," sorted by situation. For most people there is only one thing to remember: don't load save data from people you don't know.
| Your situation | Risky condition | What to do now |
|---|---|---|
| You play RPG Maker games | You load save data shared by others (.rpgsave / .rmmzsave) | Use only saves you made yourself; don't load shared data |
| You make and distribute games | You exported with MV v1.6.3 or earlier / MZ v1.10.0 or earlier | Watch official notices; when a fix ships, update and re-export |
| You bought the software but don't really play | Not applicable | Not affected; no action needed |
* ".rpgsave" is commonly used for MV save data and ".rmmzsave" for MZ. Be especially careful when a download includes such files and you are urged to load them.
What to do now
For players, the action is clear: use only the save data you created in your own play, and don't load save data handed to you by others. The "handy saves" and "cleared data" floating around forums on distribution sites, social media, and file-sharing services cannot be judged safe or unsafe just by looking. Gotcha Gotcha Games, in its official advisory, urges using games, save data, and assets only "from sources you trust."
If you make and distribute games, first check which version you exported your work with. Games exported with MV v1.6.3 or earlier, or MZ v1.10.0 or earlier, contain the vulnerable loading process. At this point, no fix (update) for this flaw has been released yet. Keep an eye on the official update information, and once a fix ships, update the software and re-export your game—that is the proper path. Until then, it helps to add a note for players telling them not to load shared saves.
FAQ
Is the RPG Maker game I play dangerous?
If you just play normally and read and write your own save data, that alone won't cause harm. The danger is when you load "external save data" handed to you by others or picked up online. If that applies to you, stop using that save.
What exactly should players do?
Use only the save data you created in your own play. It is safest not to load the "cleared data" or "handy saves" handed out on forums, social media, or file-sharing sites. Use game files and assets only from distribution sources you trust.
What should people making games with RPG Maker do?
Check which version you used to export your work. RPG Maker MV v1.6.3 and earlier, and MZ v1.10.0 and earlier, are affected. Since no fix has been released yet, watch the official update information and, once a fix is provided, update the software and re-export your game—that is the proper response. For now, it is good to warn players not to load shared saves.
Is a fix out yet? Is it already being exploited?
As of JVN's publication on June 30, 2026, no fix (update) for this flaw has been announced; the only recommended measure is the workaround of "not loading untrusted save data." Also, as of this article, there is no public report of it being used in real attacks (such as a listing in the U.S. CISA "Known Exploited Vulnerabilities" catalog, or KEV). The situation may change, so check official sources as needed.
Summary
CVE-2026-56137 is a vulnerability where a game built with RPG Maker MV/MZ runs commands on the PC on its own when it loads a doctored save file. It does not spread automatically over the internet, but running commands leads directly to a PC takeover. Because sharing cleared data and saves is routine in this genre, both players and creators should keep one point in mind: "don't load saves from people you don't know."
No fix has been released yet. Check RPG Maker's official update information and advisory, and apply the fix promptly once it is available.
Update history
- â–¸June 30, 2026: First published (created in response to the same-day disclosure of JVN#69681784 and the Gotcha Gotcha Games advisory).
References
- ・JVN#69681784 — OS command injection in RPG Maker MV and MZ
- ・CVE.org — CVE-2026-56137
- ・NVD — CVE-2026-56137
- ・JVN iPedia — JVNDB-2026-000093
- ・RPG Maker Official — On handling games, save data, and assets of unknown origin
- ・GMO Flatt Security (reporter)
- ・MITRE — CWE-78 (OS Command Injection)
Makoto Horikawa
Backend Engineer / AWS / Django