Security Bulletins

This page tracks security alerts as well as relevant vulnerability disclosures and investigations related to SingleStore. If you are a SingleStore customer, we recommend bookmarking this page to stay up to date with the latest security bulletins.

Note that advisories on this page are reserved for issues requiring customer awareness and/or action. We may also publish notices for major industry or zero-day vulnerabilities to confirm whether they apply to SingleStore Helios or self-managed offerings. All other lower-impact items are usually documented in our release notes for SingleStore Helios or for SingleStore self-managed, respectively.

Security Alerts

At this time, there are no active security alerts to report.

Vulnerability Response & Transparency

04-01-2026 | Axios Supply Chain Compromise (March 2026)

SingleStore is aware of a recent supply chain incident affecting the axios JavaScript HTTP client involving the distribution of malicious packages. SingleStore does use axios in limited internal contexts but it is not included in any of our product offerings. We have reviewed our dependencies, build environments, and corporate systems—including employee laptops and development environments—and have found no evidence that we used or were impacted by the malicious packages. We have also deployed additional monitoring and alerting countermeasures as a precaution for any future developments on this event.

04-01-2026 | CanisterWorm Malware Campaign

SingleStore is aware of an ongoing and evolving supply chain security incident associated with CanisterWorm and the TeamPCP threat actor group. We have conducted a thorough review of our environments and are actively monitoring the situation, including updates from relevant authorities and trusted security sources. Based on our investigation and the currently known scope of affected vendors and components, we have found no evidence of impact to our product, internal systems, or corporate environments. This bulletin may be updated as new information becomes available.

03-16-2026 | SQL Injection Vulnerability in Sequelize (CVE-2026-30951)

Due to recent customer inquiries, we would like to clarify that we are not affected by CVE-2026-30951. SingleStore does not use the Sequelize Node.js ORM in any SingleStore product, related authentication services or official client libraries. Therefore, this vulnerability does not impact our software.

03-13-2026 | Multiple Critical and High Severity Vulnerabilities in n8n

We would like to inform our customers that we are not affected by any of high profile industry-published vulnerabilities affecting n8n including but not limited to CVE-2026-21858 (also known as Ni8mare), CVE-2026-1470, CVE-2026-0863, CVE-2025-68613 and CVE-2026-25049. 

As per information provided in previous bulletins, we do not use n8n in neither our product or corporate environments.

Note: all previous bulletins regarding the aforementioned CVEs have been merged into this current bulletin.

03-10-2026 | Authentication Bypass in pac4j-jwt (CVE-2026-29000)

Due to recent customer inquiries, we would like to clarify that we are not affected by CVE-2026-29000. SingleStore does not use the pac4j Java security framework in any SingleStore product, related authentication services or official client libraries. Therefore, this vulnerability does not impact our software.

02-11-2026 | MongoBleed / Unauthenticated Memory Disclosure Vulnerability in MongoDB Server (CVE-2025-14847)

Due to recent customer inquiries, we would like to clarify that we are not affected by CVE-2025-14847. While we provide built-in pipeline capabilities for data replication from MongoDB to SingleStoreDB — along with compatibility features for customers familiar with MongoDB — we do not use MongoDB Server in any SingleStoreDB product component. Therefore, this vulnerability does not impact our software.

01-28-2026 | Critical Sandbox Escape Vulnerability in Node.js VM2 (CVE-2026-22709)

We would like to inform our customers that we are not affected by CVE-2026-22709. We do not use the vm2 Node.js library in neither our product or corporate environments.

01-23-2026 | Unauthorized File System Access in Undocumented SingleStoreDB Feature (via Pipeline Transform)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/45599666185236-Unauthorized-File-System-Access-in-Undocumented-SingleStoreDB-Feature-via-Pipeline-Transform.

01-23-2026 | FluentBit Vulnerabilities (CVE-2025-12972, CVE-2025-12970, CVE-2025-12978, CVE-2025-12977, and CVE-2025-12969)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/45599084089236-FluentBit-vulnerabilities-CVE-2025-12972-CVE-2025-12970-CVE-2025-12978-CVE-2025-12977-and-CVE-2025-12969.

01-13-2026 | LangGrinch / Critical LangChain Core Serialization Injection (CVE-2025-68664)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/45246880204308-LangGrinch-CVE-2025-68664-Critical-LangChain-Core-serialization-injection-bug.

12-16-2025 | Critical Vulnerability in Oracle E-Business Suite (CVE-2025-61882)

Due to a number of inquiries regarding CVE-2025-61882 we would like to inform our customers that we are not affected by this vulnerability. We do not currently use (nor have we historically used) Oracle E-Business Suite applications.

12-04-2025 | React2Shell / Critical RCE Vulnerability in React Server Components and Next.JS (CVE-2025-55182 & CVE-2025-66478)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/44017558158484-React2Shell-Critical-RCE-Vulnerability-in-React-Server-Components-and-Next-JS-CVE-2025-55182-CVE-2025-66478.

12-04-2025 | Shai-Hulud Worm 2.0

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/44017698904980-Shai-Hulud-Worm-2-0.

04-15-2025 | Critical RCE Vulnerability in Apache Parquet (CVE-2025-30065)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/37506955698964-Critical-RCE-Vulnerability-in-Apache-Parquet-CVE-2025-30065.

04-10-2025 | IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24514, CVE-2025-24513)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/37677818320276-IngressNightmare-CVE-2025-1097-CVE-2025-1098-CVE-2025-1974-CVE-2025-24514-CVE-2025-24513.

05-29-2024 | Linguistic Lumberjack (CVE-2024-4323)

A KB article has been published on this topic, please refer to: https://support.singlestore.com/hc/en-us/articles/37678036810772-Linguistic-Lumberjack-CVE-2024-4323.

06-13-2023 | SQL injection flaw in MOVEit Transfer Vulnerability (CVE-2023-34362)

Due to a number of inquiries in regard to the SQL injection flaw in the MOVEit Transfer software product we would like to inform our customers that we are not affected by this vulnerability. We do not use MOVEit Transfer in either SingleStore self-managed, SingleStore Helios or our corporate environment and operations.

05-04-2022 | Spring4Shell (CVE-2022-22963, CVE-2010-1622, CVE-2022-22965)

Due to a number of inquiries in regard to the Spring4shell vulnerability we would like to inform our customers that we are not affected by this vulnerability. More specifically, SingleStore is not affected by vulnerabilities identified in Spring Cloud Functions (CVE-2022-22963) or the Spring4shell frameworks (CVE-2010-1622 / CVE-2022-22965).

12-09-2021 | Log4Shell (CVE-2021-44228)

The log4j library is a common library in the Java programming language. SingleStore uses Java solely for HDFS Pipelines, a feature used for loading data from HDFS. This vulnerability does not affect SingleStore at the time of the CVE being published as SingleStore HDFS uses a version of log4j which is not susceptible to this CVE. SingleStore self-managed customers are, as usual, recommended to update to the latest supported version of our software in accordance with our EOL policy.

Additional References

• For documentation and detailed information about SingleStore’s security posture, please visit the Security & Trust Center.
• To responsibly disclose a security vulnerability, please use our Responsible Disclosure page.
• For our self-managed customers looking for information and timelines regarding our software support lifecycle, please refer to the SingleStore Software EOL Policy.