{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/jasperfx/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Marten (\u003c= 8.36)"],"_cs_severities":["critical"],"_cs_tags":["sql-injection","cve","ghsa","web-application"],"_cs_type":"advisory","_cs_vendors":["JasperFx"],"content_html":"\u003cp\u003eMarten, a .NET transactional document database and event store, contains a SQL injection vulnerability (CVE-2026-45288) in versions 8.36 and earlier. The vulnerability stems from the improper handling of the \u003ccode\u003eregConfig\u003c/code\u003e parameter within its full-text search APIs. Specifically, the \u003ccode\u003eregConfig\u003c/code\u003e parameter, intended to specify the text search configuration, is directly interpolated into SQL queries without sufficient validation or parameterization. This allows an attacker to inject arbitrary SQL commands by crafting a malicious \u003ccode\u003eregConfig\u003c/code\u003e value. Successful exploitation can lead to unauthorized data access, modification, or denial-of-service. The vulnerability was privately reported and patched in version 8.36.1 by introducing regular expression validation of the \u003ccode\u003eregConfig\u003c/code\u003e parameter.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an application using a vulnerable version of Marten (\u0026lt;= 8.36) with exposed \u003ccode\u003eregConfig\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eregConfig\u003c/code\u003e value containing SQL injection payloads (e.g., \u003ccode\u003eenglish'; SELECT version(); --\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious \u003ccode\u003eregConfig\u003c/code\u003e value into one of the vulnerable API endpoints like \u003ccode\u003eIQuerySession.SearchAsync\u0026lt;T\u0026gt;(string searchTerm, string regConfig, ...)\u003c/code\u003e via a request parameter (e.g. \u003ccode\u003e?lang=\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Marten application receives the request and incorporates the malicious \u003ccode\u003eregConfig\u003c/code\u003e value into the generated SQL query.\u003c/li\u003e\n\u003cli\u003eThe database executes the attacker-injected SQL commands. This could involve selecting data, dropping tables, or causing delays using \u003ccode\u003epg_sleep\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker observes the effects of the injected SQL, such as information disclosure through error messages or timing differences, or direct extraction if query results are surfaced.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates the attack based on the initial success, potentially gaining full control over the database contents or disrupting service availability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-45288) can have severe consequences. An attacker could gain unauthorized access to sensitive data, leading to confidentiality breaches. Data integrity is also at risk, as attackers can modify or delete data. Furthermore, attackers can cause denial-of-service by injecting commands that consume excessive resources or disrupt database operations. The specific impact depends on the privileges of the database user used by the Marten application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Marten to version 8.36.1 or later to remediate the vulnerability. The patch introduces validation on the \u003ccode\u003eregConfig\u003c/code\u003e parameter (\u003ca href=\"https://github.com/JasperFx/marten/pull/4343\"\u003eJasperFx/marten#4343\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement one of the suggested workarounds, such as hardcoding \u003ccode\u003eregConfig\u003c/code\u003e or validating user-supplied input against a safe regex.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing potentially malicious SQL injection attempts in the \u003ccode\u003eregConfig\u003c/code\u003e parameter. Deploy the Sigma rule to detect SQL injection attempts in HTTP requests targeting Marten applications.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the application layer to sanitize user input before passing it to Marten, specifically for the \u003ccode\u003eregConfig\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:47:18Z","date_published":"2026-05-14T20:47:18Z","id":"https://feed.craftedsignal.io/briefs/2026-05-marten-sql-injection/","summary":"Marten versions up to 8.36 are vulnerable to SQL injection due to the `regConfig` parameter in full-text search APIs not being properly validated or parameterized, allowing attackers to inject arbitrary SQL commands by manipulating the `regConfig` parameter, potentially leading to information disclosure, data manipulation, or denial-of-service; version 8.36.1 addresses this vulnerability.","title":"Marten Full-Text Search SQL Injection Vulnerability (CVE-2026-45288)","url":"https://feed.craftedsignal.io/briefs/2026-05-marten-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — JasperFx","version":"https://jsonfeed.org/version/1.1"}