Description
Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1.
Published: 2026-05-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from the Marten full‑text search API, which directly interpolates the user‑supplied regConfig parameter into SQL statements without parameterization or validation. Because of this flaw, any code path that allows an untrusted regConfig value becomes a SQL injection sink, enabling an attacker to execute arbitrary database commands and potentially compromise confidentiality, integrity, and availability. The weakness is classified as CWE‑89.

Affected Systems

The affected product is JasperFx’s Marten, a .NET Transactional Document DB and Event Store built on PostgreSQL. Versions prior to 8.36.1 are vulnerable; upgrading to 8.36.1 or later removes the flaw.

Risk and Exploitability

Based on the description, the likely attack vector is the direct interpolation of a user‑supplied regConfig value into SQL statements via Marten’s full‑text search API, which turns any exposed endpoint handling that parameter into a SQL injection entry point. The CVSS score of 9.8 marks this as a critical vulnerability; the EPSS score is not available, but the high severity indicates a significant risk of exploitation in environments where regConfig can be supplied from untrusted sources. The vulnerability is not listed in the CISA KEV catalog, and attackers would need to supply a malicious regConfig value, which is feasible if the API accepts untrusted input, making the overall risk serious without immediate patching.

Generated by OpenCVE AI on May 28, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JasperFx Marten to version 8.36.1 or later, which removes the vulnerable SQL construction.
  • If an upgrade is not feasible, ensure that any code path that passes a regConfig value does so only with trusted, hard‑coded constants or completely sanitizes the input to strip any SQL control characters.
  • After remediation, inspect database activity logs for anomalous queries that may indicate prior exploitation and, if needed, restore affected data from backups.

Generated by OpenCVE AI on May 28, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vmw2-qwm8-x84c Marten has an injection vulnerability in its full-text search regConfig parameter
History

Sat, 30 May 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Jasperfx
Jasperfx marten
Vendors & Products Jasperfx
Jasperfx marten

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1.
Title Marten has an SQL injection vulnerability in its full-text search regConfig parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Jasperfx Marten
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T02:13:53.945Z

Reserved: 2026-05-11T20:14:43.200Z

Link: CVE-2026-45288

cve-icon Vulnrichment

Updated: 2026-05-30T02:13:47.829Z

cve-icon NVD

Status : Received

Published: 2026-05-28T21:16:31.220

Modified: 2026-05-28T21:16:31.220

Link: CVE-2026-45288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:46Z

Weaknesses