Description
Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1.
Published: 2026-05-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vmw2-qwm8-x84c Marten has an injection vulnerability in its full-text search regConfig parameter
History

Sat, 30 May 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Jasperfx
Jasperfx marten
Vendors & Products Jasperfx
Jasperfx marten

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1.
Title Marten has an SQL injection vulnerability in its full-text search regConfig parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T02:13:53.945Z

Reserved: 2026-05-11T20:14:43.200Z

Link: CVE-2026-45288

cve-icon Vulnrichment

Updated: 2026-05-30T02:13:47.829Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T21:16:31.220

Modified: 2026-06-01T18:41:24.920

Link: CVE-2026-45288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:46Z

Weaknesses