CVE-2026-13500 | A weakness has been identified in antlr ANTLR4 up to 4.13.2.… | CVSS 7.3 HIGH

Description

A weakness has been identified in antlr ANTLR4 up to 4.13.2. Affected is an unknown function of the file tool/src/org/antlr/v4/codegen/model/OutputFile.java of the component Grammar Action Block Handler. Executing a manipulation can lead to code injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Metadata

CVE ID: CVE-2026-13500
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-27 18:27 UTC
Published: 2026-06-28 14:15 UTC
Last updated: 2026-06-28 14:15 UTC
Primary CWE: CWE-94
Code Injection
Vendor / Product: antlr / ANTLR4
Sources: cve.org · NVD

Severity & Metrics

7.3 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Affected products (1)

Vendor	Product	Platform	Versions
antlr	ANTLR4	—	4.13.0, 4.13.1, 4.13.2

Weakness (CWE)

CWE	Source	Description
CWE-74	cna	Injection
CWE-94	cna	Code Injection

CVSS scores (4)

Score	Severity	Version	Source	Vector
7.5	N/D	2.0	cna	AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
7.3	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
7.3	HIGH	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

References (5)

VDB-374495 | antlr ANTLR4 Grammar Action Block OutputFile.java code injection https://vuldb.com/vuln/374495
VDB-374495 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/374495/cti
CVE-2026-13500 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-13500
Submit #838568 | antlr ANTLR4 4.13.2 Code Injection https://vuldb.com/submit/838568
https://github.com/wooyun123/wooyun/issues/4