CVE-2026-45288

Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/JasperFx/marten/commit/626249656829860b9c55895b5b6046b61a2a695f
https://github.com/JasperFx/marten/pull/4343
https://github.com/JasperFx/marten/security/advisories/GHSA-vmw2-qwm8-x84c

Configurations

No configuration.

History

28 May 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-28 21:16

Updated : 2026-06-01 18:41

NVD link : CVE-2026-45288

Mitre link : CVE-2026-45288

CVE.ORG link : CVE-2026-45288

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

9.8 /10