Security Bulletins

This page tracks security alerts as well as relevant vulnerability disclosures and investigations related to SingleStore. If you are a SingleStore customer, we recommend bookmarking this page to stay up to date with the latest security bulletins.

Note that advisories on this page are reserved for issues requiring customer awareness and/or action. We may also publish notices for major industry or zero-day vulnerabilities to confirm whether they apply to SingleStore Helios or self-managed offerings. All other lower-impact items are usually documented in our release notes for SingleStore Helios or for SingleStore self-managed, respectively.

Security Alerts

At this time, there are no active security alerts to report.

Vulnerability Response & Transparency

02-11-2026 | MongoBleed / Unauthenticated Memory Disclosure Vulnerability in MongoDB Server (CVE-2025-14847)

Due to recent customer inquiries, we would like to clarify that we are not affected by CVE-2025-14847. While we provide built-in pipeline capabilities for data replication from MongoDB to SingleStoreDB — along with compatibility features for customers familiar with MongoDB — we do not use MongoDB Server in any SingleStoreDB product component. Therefore, this vulnerability does not impact our software.

01-28-2026 | Critical Sandbox Escape Vulnerability in Node.js VM2 (CVE-2026-22709)

We would like to inform our customers that we are not affected by CVE-2026-22709. We do not use the vm2 Node.js library in neither our product or corporate environments.

01-28-2026 | January 2026 Critical and High Vulnerabilities in n8n (CVE-2026-1470 and CVE-2026-0863)

We would like to inform our customers that we are not affected by either CVE-2026-1470 or CVE-2026-0863. As per the information provided in previous bulletins, we do not use n8n in neither our product or corporate environments.

01-23-2026 | Unauthorized File System Access in Undocumented SingleStoreDB Feature (via Pipeline Transform)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/45599666185236-Unauthorized-File-System-Access-in-Undocumented-SingleStoreDB-Feature-via-Pipeline-Transform.

01-23-2026 | FluentBit Vulnerabilities (CVE-2025-12972, CVE-2025-12970, CVE-2025-12978, CVE-2025-12977, and CVE-2025-12969)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/45599084089236-FluentBit-vulnerabilities-CVE-2025-12972-CVE-2025-12970-CVE-2025-12978-CVE-2025-12977-and-CVE-2025-12969.

01-13-2026 | LangGrinch / Critical LangChain Core Serialization Injection (CVE-2025-68664)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/45246880204308-LangGrinch-CVE-2025-68664-Critical-LangChain-Core-serialization-injection-bug.

01-07-2026 | Ni8mare / Critical Vulnerability in n8n (CVE-2026-21858)

We would like to inform our customers that we are not affected by CVE-2026-21858, also known as Ni8mare. We do not use n8n in neither our product or corporate environments.

12-16-2025 | Critical Vulnerability in Oracle E-Business Suite (CVE-2025-61882)

Due to a number of inquiries regarding CVE-2025-61882 we would like to inform our customers that we are not affected by this vulnerability. We do not currently use (nor have we historically used) Oracle E-Business Suite applications.

12-04-2025 | React2Shell / Critical RCE Vulnerability in React Server Components and Next.JS (CVE-2025-55182 & CVE-2025-66478)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/44017558158484-React2Shell-Critical-RCE-Vulnerability-in-React-Server-Components-and-Next-JS-CVE-2025-55182-CVE-2025-66478.

12-04-2025 | Shai-Hulud Worm 2.0

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/44017698904980-Shai-Hulud-Worm-2-0.

04-15-2025 | Critical RCE Vulnerability in Apache Parquet (CVE-2025-30065)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/37506955698964-Critical-RCE-Vulnerability-in-Apache-Parquet-CVE-2025-30065.

04-10-2025 | IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24514, CVE-2025-24513)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/37677818320276-IngressNightmare-CVE-2025-1097-CVE-2025-1098-CVE-2025-1974-CVE-2025-24514-CVE-2025-24513.

05-29-2024 | Linguistic Lumberjack (CVE-2024-4323)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/37678036810772-Linguistic-Lumberjack-CVE-2024-4323.

06-13-2023 | SQL injection flaw in MOVEit Transfer Vulnerability (CVE-2023-34362)

Due to a number of inquiries in regard to the SQL injection flaw in the MOVEit Transfer software product we would like to inform our customers that we are not affected by this vulnerability. We do not use MOVEit Transfer in either SingleStore self-managed, SingleStore Helios or our corporate environment and operations.

05-04-2022 | Spring4Shell (CVE-2022-22963, CVE-2010-1622, CVE-2022-22965)

Due to a number of inquiries in regard to the Spring4shell vulnerability we would like to inform our customers that we are not affected by this vulnerability. More specifically, SingleStore is not affected by vulnerabilities identified in Spring Cloud Functions (CVE-2022-22963) or the Spring4shell frameworks (CVE-2010-1622 / CVE-2022-22965).

12-09-2021 | Log4Shell (CVE-2021-44228)

The log4j library is a common library in the Java programming language. SingleStore uses Java solely for HDFS Pipelines, a feature used for loading data from HDFS. This vulnerability does not affect SingleStore at the time of the CVE being published as SingleStore HDFS uses a version of log4j which is not susceptible to this CVE. SingleStore self-managed customers are, as usual, recommended to update to the latest supported version of our software in accordance with our EOL policy.

Additional References

• For documentation and detailed information about SingleStore’s security posture, please visit the Security & Trust Center.
• To responsibly disclose a security vulnerability, please use our Responsible Disclosure page.
• For our self-managed customers looking for information and timelines regarding our software support lifecycle, please refer to the SingleStore Software EOL Policy.