CVE-2026-13501 | A security vulnerability has been detected in antlr ANTLR4 u… | CVSS 5.3 MEDIUM

Description

A security vulnerability has been detected in antlr ANTLR4 up to 4.13.2. Affected by this vulnerability is the function GoTarget of the file tool/src/org/antlr/v4/codegen/target/GoTarget.java of the component gofmt. The manipulation leads to command injection. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metadata

CVE ID: CVE-2026-13501
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-27 18:28 UTC
Published: 2026-06-28 14:30 UTC
Last updated: 2026-06-28 14:30 UTC
Primary CWE: CWE-77
Command Injection
Vendor / Product: antlr / ANTLR4
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Affected products (1)

Vendor	Product	Platform	Versions
antlr	ANTLR4	—	4.13.0, 4.13.1, 4.13.2

Weakness (CWE)

CWE	Source	Description
CWE-74	cna	Injection
CWE-77	cna	Command Injection

CVSS scores (4)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
5.3	MEDIUM	3.0	cna	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
4.8	MEDIUM	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
4.3	N/D	2.0	cna	AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

References (5)

VDB-374496 | antlr ANTLR4 gofmt GoTarget.java GoTarget command injection https://vuldb.com/vuln/374496
VDB-374496 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/374496/cti
CVE-2026-13501 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-13501
Submit #838569 | antlr ANTLR4 4.13.2 Command Injection https://vuldb.com/submit/838569
https://github.com/wooyun123/wooyun/issues/6