CVE-2026-45288: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in JasperFx marten
CVE-2026-45288 is a critical SQL injection vulnerability in JasperFx Marten versions prior to 8. 36. 1. The issue arises because the full-text search APIs interpolate the user-supplied regConfig parameter directly into SQL queries without proper parameterization or validation. This allows an attacker to inject malicious SQL commands via untrusted input. The vulnerability has a CVSS score of 9. 8, indicating high impact on confidentiality, integrity, and availability. A fix is available in version 8. 36. 1.
AI Analysis
Technical Summary
JasperFx Marten, a .NET transactional document database and event store on PostgreSQL, contained a SQL injection vulnerability (CWE-89) in its full-text search APIs prior to version 8.36.1. The vulnerability occurs because the regConfig parameter, which can be influenced by user input, is directly interpolated into SQL statements without parameterization or validation. This flaw allows attackers to execute arbitrary SQL commands, potentially compromising the database. The vulnerability is fixed in Marten version 8.36.1.
Potential Impact
Successful exploitation of this vulnerability can lead to full compromise of the underlying PostgreSQL database, including unauthorized data disclosure, data modification, and denial of service. The CVSS score of 9.8 reflects critical impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild at the time of disclosure.
Mitigation Recommendations
Upgrade JasperFx Marten to version 8.36.1 or later, where this SQL injection vulnerability has been fixed. Until the upgrade is applied, avoid passing untrusted input to the regConfig parameter in full-text search APIs. Patch status is confirmed by the vendor's release of version 8.36.1 containing the fix.
CVE-2026-45288: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in JasperFx marten
Description
CVE-2026-45288 is a critical SQL injection vulnerability in JasperFx Marten versions prior to 8. 36. 1. The issue arises because the full-text search APIs interpolate the user-supplied regConfig parameter directly into SQL queries without proper parameterization or validation. This allows an attacker to inject malicious SQL commands via untrusted input. The vulnerability has a CVSS score of 9. 8, indicating high impact on confidentiality, integrity, and availability. A fix is available in version 8. 36. 1.
CVSS v3.1
Score 9.8critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
JasperFx Marten, a .NET transactional document database and event store on PostgreSQL, contained a SQL injection vulnerability (CWE-89) in its full-text search APIs prior to version 8.36.1. The vulnerability occurs because the regConfig parameter, which can be influenced by user input, is directly interpolated into SQL statements without parameterization or validation. This flaw allows attackers to execute arbitrary SQL commands, potentially compromising the database. The vulnerability is fixed in Marten version 8.36.1.
Potential Impact
Successful exploitation of this vulnerability can lead to full compromise of the underlying PostgreSQL database, including unauthorized data disclosure, data modification, and denial of service. The CVSS score of 9.8 reflects critical impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild at the time of disclosure.
Mitigation Recommendations
Upgrade JasperFx Marten to version 8.36.1 or later, where this SQL injection vulnerability has been fixed. Until the upgrade is applied, avoid passing untrusted input to the regConfig parameter in full-text search APIs. Patch status is confirmed by the vendor's release of version 8.36.1 containing the fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T20:14:43.200Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a18aa29e29bf47b5027bd91
Added to database: 5/28/2026, 8:48:41 PM
Last enriched: 5/28/2026, 9:20:37 PM
Last updated: 5/29/2026, 1:37:48 PM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.