📊 HiddenMerit Daily · Issue 19
May 14, 2026 | 5 Selected Global Breaking News
01|Vastbase Plans Private Placement of Over RMB 700M, Doubles Down on HTAP and Multi‑Modal Time‑Series Database
On the evening of May 11, Vastbase (603138.SH) disclosed its 2026 private placement plan, intending to issue A-shares to no more than 35 specified investors, raising up to RMB 702 million. After deducting issuance expenses, the net proceeds will be fully invested in two core technology R&D projects: RMB 489 million for a next‑generation high‑performance hybrid transaction/analytical database (HTAP) project, and RMB 213 million for a multi‑modal time‑series database project. The company stated that the traditional OLTP+OLAP separated architecture can no longer meet the rigid requirements of real‑time data processing, integration, and high concurrency in core scenarios such as finance, retail, telecommunications, and manufacturing. Its shortcomings – high O&M costs, data synchronization latency, and difficulty ensuring consistency – have become key bottlenecks in digital transformation. The HTAP architecture, with its two core advantages of row‑column hybrid storage and unified transaction/analytics processing, can deliver both high‑concurrency transaction performance and batch analytical efficiency. The multi‑modal time‑series database project focuses on core needs in industrial IoT and energy dispatch, aiming to solve the heavy reliance on foreign technology and insufficient multi‑modal integration capabilities in domestic products.
It is worth noting that the company has recorded four consecutive years of losses. In Q1 2026, its net loss attributable to shareholders widened to RMB 41.77 million, operating cash flow plummeted 214% year‑on‑year, and the controlling shareholders, Chen Zhimin and Zhu Huawei, were previously penalised by the securities regulator for illegal shareholding reductions. Over six years of listing, cumulative dividends amount to only RMB 15.78 million.
· DBA Perspective: HTAP integrated architecture is becoming an industry consensus. For DBAs, saying goodbye to ETL pipelines and dual‑system maintenance is good news, but it also brings new challenges: coordinating transaction response and batch analytics within a single system requires more refined resource scheduling and SLA guarantees. Moreover, the ability to integrate time‑series data with HTAP will become a core competency for DBAs in IIoT scenarios. · CTO Perspective: Vastbase’s customers are primarily state‑owned enterprises. This private placement targeting HTAP coincides with the deepening of financial Xinchuang. If the HTAP product successfully launches, it will add a more complete domestic integrated database option for telecom and energy scenarios. However, management’s history of repeated project delays and lack of profitability improvement are risks that cannot be ignored. · Investor Perspective: The biggest controversy around Vastbase’s private placement is “four consecutive years of losses + controlling shareholder illegal shareholding reduction”. There is significant uncertainty whether the large offering will be approved. The composition of subscribers and their subscription multiples will be key indicators of short‑term market confidence.
02|Dense High‑Risk Vulnerabilities Exposed in May: Multiple Databases and Applications Harbour Deep Risks
In the second week of May, several high‑risk CVEs were intensively disclosed, covering three layers: database kernel, open‑source frameworks, and SaaS platforms.
Database Kernel Layer: A severe vulnerability in the ArcadeDB multi‑model database management system, CVE-2026-44221, silently disables both database‑level and record‑level authorisations. Any authenticated attacker can perform full read/write and structural changes on any database on the same server. A fix is available in version 2.6.4. Additionally, the @sap/hdi-deploy package of SAP HANA deployment infrastructure has an SQL injection vulnerability, CVE-2026-40131.
Open‑Source Framework and Application Layer: The popular WordPress e‑commerce plugin BEAR (WooCommerce batch editing tool) has a critical SQL injection vulnerability, CVE-2026-45213, affecting versions 1.1.7.1 and below. Successful exploitation can lead to full database compromise, product catalogue tampering, customer information leakage, and even complete server takeover. The AI low‑code platform NocoBase has an SQL validation bypass vulnerability, CVE-2026-41641 (CVSS 7.2), allowing attackers to execute unauthorised malicious SQL via the sqlCollection:update endpoint to exfiltrate sensitive data. The pre‑authentication SQL injection vulnerability CVE-2026-42208, which caused widespread concern last week, has been formally added to CISA’s Known Exploited Vulnerabilities Catalog, with active exploitation observed approximately 36 hours after disclosure.
· DBA Perspective: The intensive disclosure of several high‑risk vulnerabilities across NoSQL, relational, and edge frameworks reflects a rapid expansion of the attack surface. DBAs must immediately take three actions: check whether they are using niche community database components like ArcadeDB and prioritise patch upgrades; scan for instances of low‑code platforms such as NocoBase using vulnerability scanners; and include core dependencies of the WordPress e‑commerce ecosystem in database risk monitoring, with automated detection and baseline assessment. · CTO Perspective: Security auditing of AI frameworks, low‑code platforms, and open‑source e‑commerce plugins has become a mandatory compliance item. Security response efficiency directly affects business continuity and customer trust. It is recommended to establish a software bill of materials for the entire technology stack and automated vulnerability scanning mechanisms, proactively inspect third‑party database systems in production, and leave no edge attack surface unchecked – embedding security into every stage of development and delivery. · Investor Perspective: The intensive discovery of vulnerabilities in ArcadeDB, BEAR, and low‑code backends demonstrates that the data infrastructure supply chain is expanding in diversity but lacking adequate security validation. The trend of enterprise security budgets shifting toward deep scanning of open‑source components, runtime risk monitoring, and automated patch management is accelerating.
03|Tencent Cloud Has 6 Papers Accepted at ICDE 2026, Industry‑Academia Collaboration Tackles Core Database Performance Bottlenecks
At the 42nd IEEE International Conference on Data Engineering (ICDE 2026) held in Montreal, Canada, Tencent had 6 papers accepted. ICDE is one of the top three academic conferences in the database field (alongside SIGMOD and VLDB), with an acceptance rate of around 20% in recent years, representing the global direction of database technology. All selected papers address real‑world problems from production environments and were co‑authored by Tencent and top universities including Renmin University of China, Fudan University, and Shenzhen University.
Key Technical Breakthroughs:
· Doux: In collaboration with Renmin University, a dual‑path parallel storage solution for range‑filter queries, achieving a 5x improvement in range filter speed and nearly 3x improvement in write throughput. · Query Rewrite Rule Self‑Discovery: In collaboration with Shenzhen University, an algorithm that automatically discovers over 1 million query rewrite rules – the largest publicly verified rule base to date. · Telescope HTAP Column Cache: In collaboration with Renmin University, a machine learning model that predicts the benefit of column cache loading in HTAP scenarios without actually loading the data, reducing prediction error by 68% compared to previous methods. · CYANSQL Natural Language Query: In collaboration with Fudan University, focusing on NL2SQL accuracy in complex scenarios such as multi‑table joins. By classifying historical queries by logical structure, generating multiple candidate execution plans, and validating results, it improves recall on the BIRD benchmark by nearly 5 percentage points over the industry’s best performance. The technology has already been productised in Tencent Cloud’s data intelligence products. · DBA Perspective: Six industry‑academia research papers represent a shift from “following academic trends” to “original theoretical innovation” in domestic databases. Engineering practice coupled with academic research will provide DBAs with more intelligent operational tools in areas such as next‑generation HTAP scheduling, automated rewrite rule generation, and NL2SQL – especially CYANSQL, which will enable more accurate natural language queries, lowering the barrier for business self‑service data access. · CTO Perspective: The ICDE outcomes are directly feeding back into Tencent Cloud database products. DBTDSQL already serves the core systems of over 100 financial institutions, stably supporting four major state‑owned banks. This demonstrates a clear commercial translation path for enterprises’ database technology innovation and academic output. Industry‑academia collaboration is becoming an efficient method for delivering core technology innovation. · Investor Perspective: Tencent’s industry‑academia collaborative papers being accepted at a top conference not only demonstrates TDSQL’s strength in tackling core bottlenecks but also provides a reference model for database startups to collaborate with universities. The competitiveness of domestic database startups in R&D investment and their accumulation of academic reputation will become important value drivers for subsequent funding rounds and valuation increases.
04|Alibaba Cloud PolarDB Launches Three AI‑Native Database Products: PolarSearch Memory Container, AgenticDB, and Lakebase
On May 12‑13, Alibaba Cloud launched three AI‑native database products, systematically building an end‑to‑end AI capability chain from RAG to agents to data lake:
PolarSearch Memory Container: An AI agent native memory solution built into PolarDB, pioneering a three‑tier architecture – short‑term memory, long‑term memory, and memory history. It integrates large language model fact extraction with vector semantic retrieval, achieving over 95% accuracy and memory utilisation above 85%. It supports multi‑tenancy, audit traceability, and PB‑level elastic scaling, enabling agents to truly have cross‑session, trustworthy long‑term partner capabilities.
AgenticDB: An AI‑native data foundation built on Alibaba Cloud AnalyticDB for PostgreSQL, integrating AI application backend services and context management. It offers two modes for AI startups and enterprise innovation teams: Launch Edition (one‑stop backend rapid go‑live) and Advanced Edition (fine‑grained context management + data sandbox isolation). It supports Copy‑on‑Write technology to build isolated data environments, ensuring independent sub‑task workflows do not interfere.
Lakebase: The previously announced AI data lakehouse, built on open data lake specifications, combining the cost‑effectiveness of a data lake with the integration capabilities of a data warehouse. It has started grey‑scale invitation testing on the Alibaba Cloud official website.
· DBA Perspective: AI agents are becoming the new “core tenants” of databases. Traditional DBAs design connection pools and slow query monitoring for humans, but agent memory access patterns are fundamentally different – high‑frequency small batches, cross‑session persistence, and multi‑tenant logical isolation. PolarSearch’s three‑tier architecture and Copy‑on‑Write data sandbox provide DBAs with observability and isolation management tools for agent workloads. DBAs need to start learning access pattern design and audit tracking methods for AI agents. · CTO Perspective: Alibaba Cloud’s “AgenticDB + PolarSearch + Lakebase” matrix can be seen as a full‑stack AI database foundation layout. AgenticDB offers AI startups rapid start (hour‑level iteration, half‑day go‑live) and extreme elasticity (Scale‑to‑Zero cost reduction), while the enterprise edition provides data sandboxes for strict context isolation – effectively controlling risk boundaries when exploring multi‑agent productivity scenarios. · Investor Perspective: Alibaba Cloud’s three consecutive AI‑native data product launches demonstrate a clear strategic intent to accelerate from traditional RAG toward an agent intelligence foundation, capturing the entry point of AI infrastructure. PolarDB already serves over 20,000 customers across 86 availability zones, and the rollout of AI features will further improve paid conversion rates and average revenue per customer.
05|Tencent Cloud Reveals DatabaseClaw: Four Layers of Security Depth for AI Agents Taking Over Production Databases
On May 13, during the DBTalk live stream “Database O&M Innovation in the Era of Large Models: How AI Agents Move from ‘Usable’ to ‘Trustworthy'”, Tencent Cloud unveiled its database AI agent platform DatabaseClaw. The platform uses four layers of security depth to build enterprise‑grade production admission capabilities, relying on a diverse skill ecosystem and packaging over a decade of real‑world fault‑troubleshooting and operational experience into standardised components, enabling AI agents to truly move from “usable” to “trustworthy”. The platform’s core capabilities come from two components: DBbrain (extreme performance insight and AI skill transformation), which provides the diagnostic brain by standardising over a decade of expert experience into AI operators; and DMC (Database Management Console), which skills core capabilities such as table management, SQL execution, and change workflows, using instance authorisation, SQL execution rules, and other governance mechanisms to provide security boundaries for agent operations on production databases.
· DBA Perspective: The launch of Tencent Cloud’s DatabaseClaw marks a leap for AI agents in database operations from “chat‑based Q&A” to “production takeover”. As agents increasingly participate in change execution, anomaly self‑healing, and capacity prediction, the DBA role is shifting from “manual firefighting” to “policy definition” – defining agent operation boundaries, auditing their execution trails, and triggering circuit breakers and rollbacks during anomalies. DatabaseClaw’s four layers of security depth (including instance authorisation, SQL execution rules, and other governance mechanisms) provide essential security guarantees for this transformation. · CTO Perspective: Standardising operational knowledge into skills plus multi‑tenant security boundary enforcement is a prerequisite for AI agents to move from “pilot showcase” to “production‑grade mainstream”. If DBAs’ accumulated troubleshooting experience can be fed into DatabaseClaw, operational human resources can be redirected toward higher‑level activities such as architecture planning and data governance. · Investor Perspective: Tencent Cloud officially launching an agent takeover platform for databases proves that AI in Database is no longer limited to tool‑level applications like large‑model SQL generation, but is evolving toward production‑grade agent autonomy. The commercial value ceiling of the AI O&M automation market is opening up, and investors should focus on the differentiation of security control layers among relevant technology vendors.
📅 Upcoming Industry Events
Date Event Core Highlights May 14, 19:00 TimechoAI Time‑Series Intelligence Platform First Public Sharing Qiao Jialin, CTO of Timecho, on the evolution from time‑series database to intelligent platform May 22 XCOPS Intelligent O&M Managers Annual Conference (Guangzhou) Practical applications of large models, financial‑grade database transformation May 26, 19:00 Tencent Cloud DBTalk: Deep Dive into DatabaseClaw AI agents moving from “usable” to “trustworthy” May 29 Tencent Cloud “Database + AI” Product Launch Debut of six core AI‑In‑Database engines, Agent “memory brain” and more May 29 Database + AI Technology Summit Paradigm shift from “tool combination” to “kernel native integration”
📌 Issue Summary
News Core Keywords DBA Actions CTO/Decision‑Maker Focus Investor Perspective Vastbase private placement of RMB 702M HTAP integration, multi‑modal time‑series HTAP hybrid workload tuning + time‑series data processing Delivery capability of HTAP products for Xinchuang needs and financial health Subscription enthusiasm from institutional investors is key confidence indicator Dense May high‑risk vulnerabilities SQL injection, auth bypass, multi‑model DB Patch ArcadeDB; scan NocoBase instances; monitor WordPress e‑commerce plugin dependencies Establish SBOM and automated vulnerability scanning Enterprise security budgets shift toward deep scanning of open‑source components Tencent 6 ICDE papers HTAP column cache, 5x range filter speed, NL2SQL recall +5% NL2SQL lowers self‑service data access barrier; HTAP tuning improves mixed workloads Industry‑academia outcomes accelerate commercial translation; clear R&D ROI path Database industry‑academia collaboration reshapes competitiveness, supports valuation Alibaba Cloud three AI‑native DB products Three‑tier memory architecture, data sandbox isolation, Scale‑to‑Zero Learn agent access pattern design and audit methods Fast iteration for AI startups; data isolation solutions for enterprise agent middleware Battle for AI agent infrastructure entry point intensifies Tencent Cloud DatabaseClaw Four layers of security depth, O&M skill packaging Shift from manual O&M to agent policy definition and security boundary setting Reallocate O&M workforce to higher‑level architecture planning Commercial value ceiling of AI O&M automation market opens
HiddenMerit Team Production Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
