SQL Injection Affecting marten package, versions [,8.37.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DOTNET-MARTEN-16875609
- published26 May 2026
- disclosed14 May 2026
- creditJasperFx
Introduced: 14 May 2026
NewCVE-2026-45288 (opens in a new tab)How to fix?
Upgrade Marten to version 8.37.0 or higher.
Overview
Affected versions of this package are vulnerable to SQL Injection via the regConfig parameter in full-text search APIs. An attacker can execute arbitrary SQL commands by supplying crafted input to the regConfig parameter, which is interpolated directly into SQL statements without validation or parameterization. This can lead to unauthorized data access, data modification, or denial of service through actions such as exfiltrating database contents, executing DDL statements, or causing time-based delays. This is only exploitable if attacker-controlled input is forwarded to the regConfig parameter; applications that hard-code regConfig to a compile-time constant are not affected.
Workaround
This vulnerability can be mitigated by hard-coding the regConfig parameter to a compile-time constant, validating externally-sourced regConfig values against a strict regex or allowlist, or omitting the regConfig argument to use the safe default.