# [CRIT] [GHSA / CRITICAL] CVE-2026-45288: Marten has an injection vulnerability in its full-text search regConfig parameter

**Source:** GitHub Security Advisories
**Published:** 2026-05-14
**Article:** https://github.com/advisories/GHSA-vmw2-qwm8-x84c

## Threat Profile

Marten has an injection vulnerability in its full-text search regConfig parameter

## Summary

Marten's full-text search APIs interpolated the user-supplied `regConfig` parameter directly into the generated SQL without parameterization or validation, making every code path that exposes `regConfig` to untrusted input a SQL injection sink.

## Affected APIs

- `IQuerySession.SearchAsync<T>(string searchTerm, string regConfig, ...)`
- `IQuerySession.PlainTextSearchAsync<T>(...)`
- `IQuerySession.Ph…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-45288`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1059** — Command and Scripting Interpreter

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### Marten CVE-2026-45288 regConfig SQL injection attempt in web traffic

`UC_289_1` · phase: **exploit** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count, min(_time) as firstSeen, max(_time) as lastSeen, values(Web.url) as urls, values(Web.http_user_agent) as agents, values(Web.status) as statuses
    from datamodel=Web
    where (Web.uri_query="*::regconfig*"
        OR Web.uri_query="*%3A%3Aregconfig*"
        OR Web.uri_query="*%3a%3aregconfig*"
        OR Web.uri_query="*pg_sleep(*"
        OR Web.uri_query="*DROP TABLE mt_doc_*"
        OR Web.uri_query="*drop table mt_doc_*"
        OR Web.uri_query="*to_tsvector('*"
        OR Web.uri_query="*'::text);*"
        OR Web.url="*::regconfig*"
        OR Web.url="*pg_sleep(*"
        OR Web.url="*DROP TABLE mt_doc_*")
    by Web.src, Web.dest, Web.http_user_agent
| `drop_dm_object_name(Web)`
| sort - lastSeen
```

### Vulnerable Marten library (CVE-2026-45288) present on host — proactive exposure hunt

`UC_289_2` · phase: **recon** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count, min(_time) as firstSeen, max(_time) as lastSeen, values(Filesystem.file_path) as file_paths, values(Filesystem.user) as users
    from datamodel=Endpoint.Filesystem
    where Filesystem.file_name="Marten.dll"
    by Filesystem.dest
| `drop_dm_object_name(Filesystem)`
| sort - lastSeen
```

**Defender KQL:**
```kql
let TvmHits = DeviceTvmSoftwareVulnerabilities
    | where CveId == "CVE-2026-45288"
    | project Timestamp, DeviceName, DeviceId, SoftwareName, SoftwareVersion,
              Detail = strcat(SoftwareVendor, " ", SoftwareName, " ", SoftwareVersion),
              Source = "TVM";
let FileHits = DeviceFileEvents
    | where Timestamp > ago(30d)
    | where FileName =~ "Marten.dll"
    | summarize Timestamp = max(Timestamp), Paths = make_set(FolderPath, 32) by DeviceName, DeviceId
    | extend SoftwareName = "Marten.dll",
             SoftwareVersion = "unknown - inspect package.lock.json / .deps.json",
             Detail = tostring(Paths),
             Source = "FileEvent"
    | project Timestamp, DeviceName, DeviceId, SoftwareName, SoftwareVersion, Detail, Source;
union TvmHits, FileHits
| order by Timestamp desc
```

### Marten CVE-2026-45288 injection observed executing in PostgreSQL audit log

`UC_289_3` · phase: **exploit** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
index=* (sourcetype=postgresql:* OR sourcetype="postgres:*" OR sourcetype=postgres-log OR sourcetype="postgres:activity" OR sourcetype=pgaudit) "to_tsvector(" ("pg_sleep(" OR "DROP TABLE mt_doc_" OR "drop table mt_doc_" OR "'; SELECT version" OR "'::text);")
| stats min(_time) as firstSeen, max(_time) as lastSeen, count, values(host) as hosts, values(_raw) as samples by host
| sort - lastSeen
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-45288`


## Why this matters

Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 2 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.