PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45288 JasperFx CVE debrief

Marten, a .NET transactional document database and event store built on PostgreSQL, contains a critical SQL injection vulnerability in versions prior to 8.36.1. The flaw exists in the full-text search APIs where the user-supplied `regConfig` parameter is interpolated directly into generated SQL without parameterization or validation. This makes any code path exposing `regConfig` to untrusted input a SQL injection sink, potentially allowing attackers to execute arbitrary SQL commands with the privileges of the database connection. The vulnerability carries a CVSS 3.1 score of 9.8 (Critical) due to its network accessibility, low attack complexity, and no required privileges or user interaction, enabling complete confidentiality, integrity, and availability compromise. The issue was disclosed on May 28, 2026, and resolved in version 8.36.1. Organizations using Marten's full-text search functionality should upgrade immediately and audit application code for any exposure of the `regConfig` parameter to external input.

Vendor
JasperFx
Product
marten
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running Marten versions prior to 8.36.1 in production environments, particularly those exposing full-text search functionality to end users or external systems. Development teams using Marten should prioritize this upgrade in their dependency management workflows.

Technical summary

The vulnerability stems from improper neutralization of special elements used in an SQL command (CWE-89). Marten's full-text search functionality accepts a `regConfig` parameter that specifies the PostgreSQL text search configuration to use. Rather than treating this as a bound parameter, the library interpolates the value directly into the SQL string. An attacker who can influence the `regConfig` value can inject arbitrary SQL, potentially reading sensitive data, modifying database contents, or executing administrative commands. The attack vector is network-based with no authentication required, making this particularly dangerous for internet-facing applications.

Defensive priority

critical

Recommended defensive actions

  • Upgrade Marten to version 8.36.1 or later immediately
  • Audit application code to identify all locations where regConfig parameter is exposed to untrusted input
  • Review database query logs for suspicious full-text search API usage patterns
  • Implement input validation and allowlisting for any regConfig values that must remain configurable
  • Consider using prepared statements or ORM parameterization for all database interactions
  • Monitor for unauthorized database access or data exfiltration attempts

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-vmw2-qwm8-x84c and associated commit 626249656829860b9c55895b5b6046b61a2a695f. The fix in pull request 4343 addresses the SQL injection by properly handling the regConfig parameter. CWE-89 (SQL Injection) classification provided by [email protected].

Official resources

2026-05-28