CVE-2026-45288
JasperFx · Marten
Marten, a .NET transactional document database, is vulnerable to SQL injection because it fails to properly parameterize the regConfig parameter in full-text search APIs.
Executive summary
A critical SQL injection vulnerability in the Marten .NET library allows attackers to execute arbitrary database commands via unsanitized full-text search inputs.
Vulnerability
The vulnerability stems from improper neutralization of special elements in the regConfig parameter of full-text search APIs. This allows for SQL injection when untrusted user input is passed into these functions without adequate validation.
Business impact
With a CVSS score of 9.8, this vulnerability poses a severe risk to data integrity and confidentiality. Exploitation could allow an attacker to bypass application logic, exfiltrate sensitive data from the underlying PostgreSQL database, or cause significant system disruption.
Remediation
Immediate Action: Upgrade the JasperFx Marten library to version 8.36.1 or later to ensure the regConfig parameter is properly parameterized.
Proactive Monitoring: Inspect application logs for anomalous database queries or unexpected syntax errors originating from search functionality. Monitor PostgreSQL server logs for unusual query patterns.
Compensating Controls: Utilize input validation and sanitization routines at the application layer to block malicious payloads from reaching the database driver.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability represents a significant risk to any application utilizing the affected versions of Marten. Development teams must prioritize the transition to version 8.36.1 to eliminate the SQL injection vector and protect the underlying database infrastructure.