Marten has an injection vulnerability in its full-text search regConfig parameter — CVE-2026-45288
GHSA · GitHub · CVE-2026-45288
ID
CVE-2026-45288
CVE-2026-45288
Date
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.8
9.8
Summary
## Summary Marten's full-text search APIs interpolated the user-supplied `regConfig` parameter directly into the generated SQL without parameterization or validation, making every code path that exposes `regConfig` to untrusted input a SQL injection sink. ## Affected APIs - `IQuerySession.SearchAsync<T>(string searchTerm, string regConfig, ...)` - `IQuerySession.PlainTextSearchAsync<T>(...)` -…
Product
nuget: Marten
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.