Description
A security vulnerability has been detected in antlr ANTLR4 up to 4.13.2. Affected by this vulnerability is the function GoTarget of the file tool/src/org/antlr/v4/codegen/target/GoTarget.java of the component gofmt. The manipulation leads to command injection. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-28
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the GoTarget function of the gofmt component of ANTLR4. Manipulation of the GoTarget code causes unsanitized data to be embedded into a system command, allowing an attacker to execute arbitrary commands. Because the exploit requires local access to the ANTLR4 environment, it is not exploitable remotely, but a local attacker who can run the ANTLR4 tool can elevate privilege or compromise the host.

Affected Systems

The vulnerability affects ANTLR4 releases up to 4.13.2 that include the gofmt tool. No other versions are listed as impacted, and the vendor is antlr:ANTLR4.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, but the risk is limited to local attackers. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Because the attack vector is local, the exploitation likelihood depends on an attacker’s ability to run ANTLR4 on the target machine.

Generated by OpenCVE AI on June 28, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ANTLR4 to version 4.14 or later where the issue is fixed.
  • Reconfigure the environment so that gofmt only runs with trusted input and is not exposed to untrusted users; limit its execution to privileged accounts.
  • Validate or sanitize all data passed to GoTarget to prevent arbitrary shell command construction.

Generated by OpenCVE AI on June 28, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in antlr ANTLR4 up to 4.13.2. Affected by this vulnerability is the function GoTarget of the file tool/src/org/antlr/v4/codegen/target/GoTarget.java of the component gofmt. The manipulation leads to command injection. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title antlr ANTLR4 gofmt GoTarget.java GoTarget command injection
First Time appeared Antlr
Antlr antlr4
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:antlr:antlr4:*:*:*:*:*:*:*:*
Vendors & Products Antlr
Antlr antlr4
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Antlr Antlr4
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-28T14:30:08.236Z

Reserved: 2026-06-27T18:28:01.063Z

Link: CVE-2026-13501

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T16:30:17Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')