CVE-2026-45288

Name of the Vulnerable Software and Affected Versions Marten versions prior to 8.36.1

Description Full-text search APIs interpolate the user-supplied regConfig parameter directly into generated SQL without parameterization or validation. This creates a SQL injection sink in any code path where regConfig is exposed to untrusted input. The issue occurs because the FullTextWhereFragment function renders the WHERE-clause SQL using string interpolation, allowing an attacker to terminate the SQL literal using a single quote and append arbitrary PostgreSQL commands. This can lead to unauthorized data exfiltration, modification or deletion of database contents, and denial-of-service attacks via time-based payloads.

Affected API endpoints and methods include:

Recommendations Update to version 8.36.1 or later. As a temporary workaround, hard-code the regConfig parameter to a compile-time constant and avoid accepting it from request input. As a temporary workaround, validate any externally-sourced regConfig value against the regular expression ^[a-zA-Z ][a-zA-Z0-9 ]*(.[a-zA-Z ][a-zA-Z0-9 ]*)?$ or an allowlist of approved PostgreSQL configurations before passing it to the library. As a temporary workaround, remove the regConfig argument from the call site to allow the software to use the safe default value.