{"id":"CVE-2026-45288","summary":"Marten has an SQL injection vulnerability in its full-text search regConfig parameter","details":"Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1.","aliases":["GHSA-vmw2-qwm8-x84c"],"modified":"2026-07-08T08:15:33.049228591Z","published":"2026-05-28T20:20:11.377Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45288.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"fixed":"8.36.1"}]}],"cwe_ids":["CWE-89"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45288.json"},{"type":"ADVISORY","url":"https://github.com/JasperFx/marten/security/advisories/GHSA-vmw2-qwm8-x84c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45288"},{"type":"FIX","url":"https://github.com/JasperFx/marten/commit/626249656829860b9c55895b5b6046b61a2a695f"},{"type":"FIX","url":"https://github.com/JasperFx/marten/pull/4343"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jasperfx/marten","events":[{"introduced":"0"},{"fixed":"626249656829860b9c55895b5b6046b61a2a695f"}],"database_specific":{"source":"REFERENCES"}}],"versions":["V8.36.0","V8.35.0","V8.34.2","V8.34.1","V8.34.0","V8.33.0","V8.32.1","V8.32.0","V8.31.0","V8.30.1","V8.30.0","V8.29.3","V8.29.0","V8.28.0","V8.27.0","V8.26.2","V8.26.1","V8.26.0","V8.25","V8.24.0","V8.23.0","V8.22.2","V8.22.1","V8.22.0","V8.21.0","V8.20","V8.19.0","V8.18.3","V8.18.2","V8.18.1","V8.18.0","v8.17.0","V8.16.4","v8.16.3","v8.16.2","V8.16.1","V8.16.0","V8.15.3","V8.15.1","V8.15.0","V8.14.0","V8.13.3","V8.13.2","V8.13.1","V8.13.0","V8.12.0","V8.11.0","V8.10.1","V8.10.0","V8.9.0","V8.8.2","V8.8.1","V8.8.0","V8.7.0","V8.6.0","V8.5.0","V8.4.0","V8.3.2","V8.3.1","V8.3.0","V8.2.1","V8.2.0","V8.1.2","V8.1.0","V8.0.1","V8.0.0","V7.39.1","V7.38.0","V7.37.3","V7.37.2","V7.37.1","V7.37.0","V7.36.0","V7.35.3","V7.35.2","V7.35.1","V7.35.0","V7.34.1","V7.34.0","V7.33.3","v7.33.2","V7.33.1","V7.33.0","V7.32.0","V7.31.3","V7.31.2","V7.31.1","V7.31.0","V7.30.3","V7.30.2","V7.30.1","V7.30.0","V7.29.0","V7.28.2","V7.28.1","V7.28.0","V7.27.0","V7.26.6","V7.26.5","V7.26.4","V7.26.3","V7.26.2","V7.26.1","V7.26.0","V7.25.2","V7.25.1","v7.25.0","V7.24.0","V7.23.1","V7.23.0","V7.22.0","V7.21.1","V7.21.0","V7.20.2","V7.20.1","V7.20.0","V7.19.1","V7.19.0","V7.18.0","V1.17.1","V7.17.0","V7.16.0","V7.15.0","V7.14.0","V7.13.0","V7.12.0","v7.11.0","V7.10.2","V7.10.1","V7.10.0","V7.9.0","V7.8.0","V7.7.0","V7.6.0","V7.5.0","V7.4.0","V7.3.1","V7.3.0","V7.2.0","V7.1.1","V7.1.0","v7.0.0","V7.0.0.rc-2","V7.0.0.rc-1","7.0.0-beta.5","7.0.0-beta.4","7.0.0-beta.3","6.4.1","7.0.0-beta.2","7.0.0-beta.1","7.0.0-alpha.1","v6.4.0","v6.3.0","v6.2.0","6.1.0","6.0.4","6.0.3","6.0.2","6.0.1","6.0.0","5.11.0","5.10.1","5.10.0","5.9.0","5.8.0","5.7.0","5.6.0","5.5.2","5.5.1","5.5.0","5.4.0","5.3.1","5.3.0","5.2.0","5.1.0","5.0.0","5.0.0-rc.1","5.0.0-alpha.6","4.3.1","5.0.0-alpha.5","v4.3.0","4.2.0","4.1.0","4.0.4","4.0.3","4.0.2","4.0.1","4.0.0","4.0.0-rc.8","4.0.0-rc.7","4.0.0-rc.6","4.0.0-rc.4","4.0.0-rc.3","4.0.0-alpha.11","4.0.0-alpha.10","4.0.0-alpha.9","4.0.0-alpha.8","4.0.0-alpha.7","4.0.0-alpha.6","4.0.0-alpha.5","3.12.1","3.12.0","3.11.0","3.10.0","3.9.0","3.8.1","3.8.0","3.7.1","3.7.0","3.6.2","3.6.1","3.6.0","3.5.0","3.4.0","3.3.0","3.2.0","3.1.0","3.0.0","2.10.0","v2.9.0","v2.8.0","2.7.1","2.7.0","v2.6.0","2.4.0","v2.3.2","v2.3.1","v2.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45288.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}