<Vulnerability name="CVE-2026-13500">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-28T14:15:07</PublicDate>
    <Bugzilla id="2493988" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493988" xml:lang="en:us">
antlr: ANTLR4: Remote code injection vulnerability
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-94</CWE>
    <Details xml:lang="en:us" source="Mitre">
A weakness has been identified in antlr ANTLR4 up to 4.13.2. Affected is an unknown function of the file tool/src/org/antlr/v4/codegen/model/OutputFile.java of the component Grammar Action Block Handler. Executing a manipulation can lead to code injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in ANTLR4. A remote attacker could exploit a weakness within the Grammar Action Block Handler component by executing a manipulation. This vulnerability allows for code injection, which can lead to the execution of arbitrary code on the affected system.
    </Details>
    <Statement xml:lang="en:us">
This is an Important vulnerability. A remote code injection flaw exists in the ANTLR4 Grammar Action Block Handler, which could allow an unauthenticated attacker to execute arbitrary code. The ability for remote exploitation and the public availability of exploit details elevate the risk, making this a critical concern for Red Hat products that incorporate ANTLR4 and process untrusted input.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>grafana</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-13500
https://nvd.nist.gov/vuln/detail/CVE-2026-13500
https://github.com/wooyun123/wooyun/issues/4
https://vuldb.com/cve/CVE-2026-13500
https://vuldb.com/submit/838568
https://vuldb.com/vuln/374495
https://vuldb.com/vuln/374495/cti
    </References>
</Vulnerability>