Skip to main content

Antlr4

4 CVEs product

Monthly

CVE-2026-13503 MEDIUM POC This Month

Path traversal in ANTLR4 up to 4.13.2 exposes arbitrary file read via the tokenVocab grammar option handler. The vulnerable function getImportedVocabFile in TokenVocabParser.java fails to sanitize user-controlled grammar option values, allowing an attacker to supply a crafted .g4 grammar file that causes the tool to read files outside the intended working directory. A publicly available proof-of-concept exploit exists (GitHub issue reference), and no vendor patch has been released - the vendor did not respond to disclosure. No active exploitation is confirmed in CISA KEV, but the CVSS 4.0 E:P flag confirms exploit code is public.

Java Path Traversal Antlr4 Red Hat Suse
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-13502 LOW POC Monitor

Time-of-check time-of-use (TOCTOU) race condition in antlr4-maven-plugin up to version 4.13.2 allows a local low-privileged attacker to manipulate grammar dependency state between validation and consumption in ObjectInputStream.readObject() within GrammarDependencies.java, yielding limited confidentiality, integrity, and availability impact on build artifacts. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists via a GitHub issue, though KEV listing is absent, indicating no confirmed widespread active exploitation. The CVSS 4.0 score of 1.1 reflects genuine low real-world risk due to local-only access, high attack complexity, and constrained impact scope.

Java Information Disclosure Antlr4
NVD VulDB GitHub
CVSS 4.0
1.1
EPSS
0.1%
CVE-2026-13501 LOW POC Monitor

Command injection in ANTLR4's Go code generation target (GoTarget.java) allows a local low-privilege attacker to execute arbitrary OS commands via unsanitized input passed to the gofmt invocation, affecting all versions up to 4.13.2. This vulnerability is scoped entirely to local environments such as developer workstations or CI/CD pipelines running ANTLR4 Go target code generation. A publicly available proof-of-concept exploit exists per the GitHub disclosure, but this is not confirmed as actively exploited (not in CISA KEV), and the CVSS 4.0 base score of 1.9 reflects its genuinely constrained real-world impact.

Command Injection Java Antlr4
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.7%
CVE-2026-13500 MEDIUM POC This Month

Code injection in ANTLR4's Grammar Action Block Handler allows remote attackers to execute arbitrary code by supplying a crafted grammar file processed by the tool. All versions up to and including 4.13.2 are affected via the OutputFile.java code generation pathway. A public proof-of-concept exploit exists on GitHub (no KEV listing), though the vendor has not acknowledged or patched the issue, leaving users without an official fix.

Code Injection Java RCE Antlr4 Red Hat +1
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Path traversal in ANTLR4 up to 4.13.2 exposes arbitrary file read via the tokenVocab grammar option handler. The vulnerable function getImportedVocabFile in TokenVocabParser.java fails to sanitize user-controlled grammar option values, allowing an attacker to supply a crafted .g4 grammar file that causes the tool to read files outside the intended working directory. A publicly available proof-of-concept exploit exists (GitHub issue reference), and no vendor patch has been released - the vendor did not respond to disclosure. No active exploitation is confirmed in CISA KEV, but the CVSS 4.0 E:P flag confirms exploit code is public.

Java Path Traversal Antlr4 +2
NVD VulDB GitHub
EPSS 0% CVSS 1.1
LOW POC Monitor

Time-of-check time-of-use (TOCTOU) race condition in antlr4-maven-plugin up to version 4.13.2 allows a local low-privileged attacker to manipulate grammar dependency state between validation and consumption in ObjectInputStream.readObject() within GrammarDependencies.java, yielding limited confidentiality, integrity, and availability impact on build artifacts. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists via a GitHub issue, though KEV listing is absent, indicating no confirmed widespread active exploitation. The CVSS 4.0 score of 1.1 reflects genuine low real-world risk due to local-only access, high attack complexity, and constrained impact scope.

Java Information Disclosure Antlr4
NVD VulDB GitHub
EPSS 1% CVSS 1.9
LOW POC Monitor

Command injection in ANTLR4's Go code generation target (GoTarget.java) allows a local low-privilege attacker to execute arbitrary OS commands via unsanitized input passed to the gofmt invocation, affecting all versions up to 4.13.2. This vulnerability is scoped entirely to local environments such as developer workstations or CI/CD pipelines running ANTLR4 Go target code generation. A publicly available proof-of-concept exploit exists per the GitHub disclosure, but this is not confirmed as actively exploited (not in CISA KEV), and the CVSS 4.0 base score of 1.9 reflects its genuinely constrained real-world impact.

Command Injection Java Antlr4
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Code injection in ANTLR4's Grammar Action Block Handler allows remote attackers to execute arbitrary code by supplying a crafted grammar file processed by the tool. All versions up to and including 4.13.2 are affected via the OutputFile.java code generation pathway. A public proof-of-concept exploit exists on GitHub (no KEV listing), though the vendor has not acknowledged or patched the issue, leaving users without an official fix.

Code Injection Java RCE +3
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy