CVE Catalog

CVE-2026-13501

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.68%

48th percentile — higher than 48% of all known CVEs

Summary

A vulnerability was found in ANTLR4 up to 4.13.2, affecting the GoTarget function in GoTarget.java. A local attacker can inject commands via the gofmt component, leading to unauthorized operations.

Risk Assessment

The risk involves local command injection, potentially allowing an attacker to escalate privileges or compromise system integrity.

Recommendation

Immediately restrict access to the vulnerable ANTLR4 version and apply temporary mitigations such as limiting local user privileges. Monitor vendor updates.

Original NVD description (English source)

A security vulnerability has been detected in antlr ANTLR4 up to 4.13.2. Affected by this vulnerability is the function GoTarget of the file tool/src/org/antlr/v4/codegen/target/GoTarget.java of the component gofmt. The manipulation leads to command injection. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS