Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-45288: Marten full-text search exposes users to SQL injection attacks
GHSA-vmw2-qwm8-x84c
CVE-2026-45288
Summary
Marten's full-text search feature has a security issue that allows attackers to inject malicious SQL code. This could allow attackers to access or modify sensitive data. To protect your data, update to a version of Marten that fixes this issue.
What to do
- Update marten to version 8.37.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| nuget | – | marten |
<= 8.36 Fix: upgrade to 8.37.0
|
Original title
Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the genera...
Original description
Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1.
ghsa CVSS3.1
9.8
Vulnerability type
CWE-74
Injection
CWE-89
SQL Injection
Published: 28 May 2026 · Updated: 1 Jun 2026 · First seen: 14 May 2026