CVE-2026-13503
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk42th percentile — higher than 42% of all known CVEs
Summary
A path traversal vulnerability was found in ANTLR4 up to version 4.13.2 in the getImportedVocabFile function of TokenVocabParser.java. The attack can be executed remotely and the exploit is publicly available.
Risk Assessment
The organization is at risk of unauthorized file access outside the intended directory, potentially leading to sensitive data leakage or privilege escalation.
Recommendation
Immediately update ANTLR4 to version 4.13.3 or later if available, or apply a temporary workaround by validating paths in tokenVocab.
Original NVD description (English source)
A vulnerability was detected in antlr ANTLR4 up to 4.13.2. Affected by this issue is the function getImportedVocabFile of the file tool/src/org/antlr/v4/parse/TokenVocabParser.java of the component tokenVocab Grammar Option Handler. The manipulation results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

