CVE Catalog

CVE-2026-13503

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.55%

42th percentile — higher than 42% of all known CVEs

Summary

A path traversal vulnerability was found in ANTLR4 up to version 4.13.2 in the getImportedVocabFile function of TokenVocabParser.java. The attack can be executed remotely and the exploit is publicly available.

Risk Assessment

The organization is at risk of unauthorized file access outside the intended directory, potentially leading to sensitive data leakage or privilege escalation.

Recommendation

Immediately update ANTLR4 to version 4.13.3 or later if available, or apply a temporary workaround by validating paths in tokenVocab.

Original NVD description (English source)

A vulnerability was detected in antlr ANTLR4 up to 4.13.2. Affected by this issue is the function getImportedVocabFile of the file tool/src/org/antlr/v4/parse/TokenVocabParser.java of the component tokenVocab Grammar Option Handler. The manipulation results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS