CVE-2026-45288

Source
https://cve.org/CVERecord?id=CVE-2026-45288
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45288.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45288
Aliases
Published
2026-05-28T20:20:11.377Z
Modified
2026-07-08T08:15:33.049228591Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Marten has an SQL injection vulnerability in its full-text search regConfig parameter
Details

Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "8.36.1"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45288.json",
    "cwe_ids": [
        "CWE-89"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/jasperfx/marten

Affected ranges

Type
GIT
Repo
https://github.com/jasperfx/marten
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

2.*
2.10.0
2.4.0
2.7.0
2.7.1
3.*
3.0.0
3.1.0
3.10.0
3.11.0
3.12.0
3.12.1
3.2.0
3.3.0
3.4.0
3.5.0
3.6.0
3.6.1
3.6.2
3.7.0
3.7.1
3.8.0
3.8.1
3.9.0
4.*
4.0.0
4.0.0-alpha.10
4.0.0-alpha.11
4.0.0-alpha.5
4.0.0-alpha.6
4.0.0-alpha.7
4.0.0-alpha.8
4.0.0-alpha.9
4.0.0-rc.3
4.0.0-rc.4
4.0.0-rc.6
4.0.0-rc.7
4.0.0-rc.8
4.0.1
4.0.2
4.0.3
4.0.4
4.1.0
4.2.0
4.3.1
5.*
5.0.0
5.0.0-alpha.5
5.0.0-alpha.6
5.0.0-rc.1
5.1.0
5.10.0
5.10.1
5.11.0
5.2.0
5.3.0
5.3.1
5.4.0
5.5.0
5.5.1
5.5.2
5.6.0
5.7.0
5.8.0
5.9.0
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.1.0
6.4.1
7.*
7.0.0-alpha.1
7.0.0-beta.1
7.0.0-beta.2
7.0.0-beta.3
7.0.0-beta.4
7.0.0-beta.5
V1.*
V1.17.1
V7.*
V7.0.0.rc-1
V7.0.0.rc-2
V7.1.0
V7.1.1
V7.10.0
V7.10.1
V7.10.2
V7.12.0
V7.13.0
V7.14.0
V7.15.0
V7.16.0
V7.17.0
V7.18.0
V7.19.0
V7.19.1
V7.2.0
V7.20.0
V7.20.1
V7.20.2
V7.21.0
V7.21.1
V7.22.0
V7.23.0
V7.23.1
V7.24.0
V7.25.1
V7.25.2
V7.26.0
V7.26.1
V7.26.2
V7.26.3
V7.26.4
V7.26.5
V7.26.6
V7.27.0
V7.28.0
V7.28.1
V7.28.2
V7.29.0
V7.3.0
V7.3.1
V7.30.0
V7.30.1
V7.30.2
V7.30.3
V7.31.0
V7.31.1
V7.31.2
V7.31.3
V7.32.0
V7.33.0
V7.33.1
V7.33.3
V7.34.0
V7.34.1
V7.35.0
V7.35.1
V7.35.2
V7.35.3
V7.36.0
V7.37.0
V7.37.1
V7.37.2
V7.37.3
V7.38.0
V7.39.1
V7.4.0
V7.5.0
V7.6.0
V7.7.0
V7.8.0
V7.9.0
V8.*
V8.0.0
V8.0.1
V8.1.0
V8.1.2
V8.10.0
V8.10.1
V8.11.0
V8.12.0
V8.13.0
V8.13.1
V8.13.2
V8.13.3
V8.14.0
V8.15.0
V8.15.1
V8.15.3
V8.16.0
V8.16.1
V8.16.4
V8.18.0
V8.18.1
V8.18.2
V8.18.3
V8.19.0
V8.2.0
V8.2.1
V8.20
V8.21.0
V8.22.0
V8.22.1
V8.22.2
V8.23.0
V8.24.0
V8.25
V8.26.0
V8.26.1
V8.26.2
V8.27.0
V8.28.0
V8.29.0
V8.29.3
V8.3.0
V8.3.1
V8.3.2
V8.30.0
V8.30.1
V8.31.0
V8.32.0
V8.32.1
V8.33.0
V8.34.0
V8.34.1
V8.34.2
V8.35.0
V8.36.0
V8.4.0
V8.5.0
V8.6.0
V8.7.0
V8.8.0
V8.8.1
V8.8.2
V8.9.0
v2.*
v2.3
v2.3.1
v2.3.2
v2.6.0
v2.8.0
v2.9.0
v4.*
v4.3.0
v6.*
v6.2.0
v6.3.0
v6.4.0
v7.*
v7.0.0
v7.11.0
v7.25.0
v7.33.2
v8.*
v8.16.2
v8.16.3
v8.17.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45288.json"