antlr ANTLR4 gofmt GoTarget.java GoTarget command injection_CVE-2026-13501

4.8 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A security vulnerability has been detected in antlr ANTLR4 up to 4.13.2. Affected by this vulnerability is the function GoTarget of the file tool/src/org/antlr/v4/codegen/target/GoTarget.java of the component gofmt. The manipulation leads to command injection. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2026-13501

Source VulDB

Published Jun 28, 2026 at 14:30

Affected Product

Vendor antlr

Product ANTLR4

Version 4.13.0

Affected Versions antlr ANTLR4 4.13.0
antlr ANTLR4 4.13.1
antlr ANTLR4 4.13.2

CWE Classification

CWE-77 CWE-74

References

{
    "lastseen": "",
    "description": "A security vulnerability has been detected in antlr ANTLR4 up to 4.13.2. Affected by this vulnerability is the function GoTarget of the file tool/src/org/antlr/v4/codegen/target/GoTarget.java of the component gofmt. The manipulation leads to command injection. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2026-06-28T14:30:08.236Z",
    "modified": "2026-06-28T14:30:08.236Z",
    "type": "cve",
    "title": "antlr ANTLR4 gofmt GoTarget.java GoTarget command injection",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/374496\nhttps://vuldb.com/vuln/374496/cti\nhttps://vuldb.com/cve/CVE-2026-13501\nhttps://vuldb.com/submit/838569\nhttps://github.com/wooyun123/wooyun/issues/6",
    "id": "CVE-2026-13501",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77",
        "CWE-74"
    ],
    "cvelist": null,
    "sourceData": "antlr ANTLR4 4.13.0\nantlr ANTLR4 4.13.1\nantlr ANTLR4 4.13.2",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ANTLR4",
    "version": "4.13.0",
    "vendor": "antlr",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}