CVE-2026-13500 antlr CVE debrief

Who should care

Organizations using ANTLR4 up to version 4.13.2 should be aware of this vulnerability and take necessary actions to mitigate the risk. The vulnerability can be exploited remotely, and a public exploit is available, increasing the urgency for patching. Security teams and developers using ANTLR4 should prioritize patching and monitoring.

Technical summary

The vulnerability is caused by a weakness in the Grammar Action Block Handler component of ANTLR4 up to 4.13.2. The affected function is located in the file tool/src/org/antlr/v4/codegen/model/OutputFile.java. The vulnerability allows for code injection, which can be exploited remotely. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

The vulnerability has a MEDIUM severity and a CVSS score of 5.5. Organizations should prioritize patching and monitoring to mitigate the risk of code injection attacks.

Recommended defensive actions

• Patch ANTLR4 to version 4.13.2 or later
• Monitor for suspicious activity related to code injection
• Review and update security configurations for ANTLR4
• Implement compensating controls to detect and prevent code injection attacks
• Verify vendor remediation workflow and exception tracking

Evidence notes

The vulnerability was disclosed on June 28, 2026, and the vendor, Unknown Vendor, was contacted but did not respond. The exploit has been made publicly available, increasing the risk of attacks. The CVE record and NVD detail provide additional information about the vulnerability.

Official resources