CVE-2026-13501 antlr CVE debrief

Who should care

Defenders of systems using ANTLR4 up to 4.13.2 should prioritize patching this vulnerability. Given the low CVSS score of 1.9, it may seem less critical, but the potential for local command injection should not be underestimated. Security teams responsible for software development tools and local environment security should investigate and mitigate this vulnerability.

Technical summary

CVE-2026-13501 is a command injection vulnerability in the GoTarget function of ANTLR4 up to 4.13.2. The vulnerability is located in the file tool/src/org/antlr/v4/codegen/target/GoTarget.java, specifically in the gofmt component. The CVSS:4.0 vector is AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, indicating a local attack vector with low attack complexity and low privileges required. The vulnerability is classified under CWE-74 and CWE-77.

Defensive priority

Given the low CVSS score and local attack vector, defenders should prioritize patching this vulnerability as part of regular software maintenance. The potential impact of command injection in a local environment should be carefully assessed and mitigated.

Recommended defensive actions

• Patch ANTLR4 to version 4.13.3 or later
• Review and limit local access to systems using ANTLR4
• Implement additional monitoring for suspicious activity in local environments
• Consider compensating controls for local command injection
• Track vendor response and any additional advisories

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. Additional sources, including Vuldb, offer further context and references. However, the vendor did not respond to early disclosure, limiting additional information.

Official resources