CVE-2026-13501
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk48th percentile — higher than 48% of all known CVEs
Summary
A vulnerability was found in ANTLR4 up to 4.13.2, affecting the GoTarget function in GoTarget.java. A local attacker can inject commands via the gofmt component, leading to unauthorized operations.
Risk Assessment
The risk involves local command injection, potentially allowing an attacker to escalate privileges or compromise system integrity.
Recommendation
Immediately restrict access to the vulnerable ANTLR4 version and apply temporary mitigations such as limiting local user privileges. Monitor vendor updates.
Original NVD description (English source)
A security vulnerability has been detected in antlr ANTLR4 up to 4.13.2. Affected by this vulnerability is the function GoTarget of the file tool/src/org/antlr/v4/codegen/target/GoTarget.java of the component gofmt. The manipulation leads to command injection. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

