📊 HiddenMerit Daily · Issue 23
Focus on Database Frontiers, Practical Insights for DBAs May 18, 2026 | 5 Selected Global Breaking News
01|Vastbase Plans Private Placement of RMB 702M, Doubles Down on HTAP and Multi‑Modal Time‑Series Database
On the evening of May 11, Vastbase (603138.SH) disclosed its 2026 private placement plan, aiming to raise up to RMB 702 million. The entire amount will be invested in two cutting‑edge R&D projects: RMB 489 million for a next‑generation high‑performance hybrid transaction/analytical database (HTAP) project, and RMB 213 million for a multi‑modal time‑series database project.
Vastbase believes that the traditional “OLTP database + OLAP data warehouse” separated architecture can no longer meet the real‑time, integrated, and high‑concurrency requirements of core scenarios such as finance, retail, telecommunications, and manufacturing. The drawbacks – high O&M costs, data synchronization latency, and difficulty ensuring consistency – have become prominent. The HTAP architecture, with its two core technical advantages of row‑column hybrid storage and unified transaction/analytics processing, can deliver both high‑concurrency transaction performance and batch analytical efficiency. The multi‑modal time‑series database project targets core needs in emerging scenarios such as industrial IoT and energy dispatch, aiming to solve the heavy reliance on foreign technology and insufficient multi‑modal integration capabilities in domestic products.
· DBA Perspective: HTAP integrated architecture is rapidly moving from “concept” to “large‑scale implementation.” For DBAs, this means transitioning from a traditional “OLTP‑dedicated maintainer” to a “hybrid workload orchestrator.” With a single system handling both high‑frequency transactions and batch analytics, resource scheduling, lock contention management, and SLA guarantee strategies all need to be redesigned. The ability to integrate time‑series data will also become a core competency for DBAs in industrial IoT and energy dispatch scenarios. DBAs interested in new infrastructure directions are advised to actively learn execution plan tuning and row/column hybrid storage design under HTAP. · CTO Perspective: Vastbase’s customers are primarily state‑owned enterprises. This private placement targeting HTAP coincides with the deepening of financial and telecom Xinchuang. If the HTAP product successfully launches, it will add a more complete integrated domestic database option for key industries. However, the company has recorded four consecutive years of losses, and management has a history of repeated project delays and unimproved profitability. Technical decision‑makers need to carefully assess the vendor’s financial health when evaluating HTAP product delivery capability. · Investor Perspective: The dual tracks of HTAP and multi‑modal time‑series have clear market demand – strongly driven by scenarios such as financial real‑time risk control, industrial IoT, and energy dispatch. However, Vastbase’s historical baggage of “four consecutive years of losses + controlling shareholder penalty for illegal shareholding reduction” cannot be ignored. There is significant uncertainty whether the large offering will be approved. The subscription enthusiasm and multiples from institutional investors will be key indicators of short‑term market confidence. Subsequent focus should be on the order conversion efficiency of the investment projects and the pace of accounts receivable collection.
02|CETC Kingware KES V9 2025 Fusion Edition Officially Announced: Native Multi‑Modal Convergence Supporting 8 Data Models
On May 15, Taiji Computer (002368.SZ) announced on its investor interaction platform that its subsidiary CETC Kingware has launched the KES V9 2025 Fusion Edition database. The product’s kernel adopts a native multi‑modal convergence architecture, supporting 8 data models – relational, vector, graph, document, time‑series, spatial, etc. – enabling unified storage and querying within a single engine.
Kingware’s database is fully self‑developed, offering a “three lows, one smooth” migration approach (low difficulty, low cost, low risk, smooth). It supports data import and migration from over 40 different data source types and has been widely used in government, finance, telecommunications, energy, transportation, and other industries, with cumulative installations exceeding 1 million sets. Earlier, Kingware had deployed over 20,000 sets, and its 2025 strategic goal is to embed AI capabilities into the database kernel, enabling full‑scale replacement from edge systems to financial cores. The KES V9 2025 Fusion Edition continues this strategy – integrating relational, vector, graph, document, time‑series, spatial, and other multi‑modal capabilities into one engine to meet the multi‑modal data processing needs of the AI agent era.
· DBA Perspective: Kingware’s native support for eight multi‑modal data models is a significant leap from “single‑model optimisation” to “multi‑modal convergence” for domestic databases. In the past, building an environment for knowledge graphs, RAG, and time‑series analysis required complex component splicing and data movement among graph, vector, and time‑series databases. Kingware’s “one engine does it all” approach means DBAs need to learn the syntax system of multi‑modal fused queries and resource isolation configuration under mixed workloads. When a domestic database can serve full‑stack AI scenarios with a single engine, DBAs will have much broader decision‑making space in technology selection. · CTO Perspective: The large‑scale validation of Kingware’s “three lows, one smooth” migration approach and the endorsement of 1 million installations serve as important benchmarks for CTOs undertaking core system Xinchuang transformations. The native multi‑modal convergence architecture integrates graph retrieval, vector query, and time‑series analysis into a single engine, promising to significantly reduce the management complexity of multi‑component orchestration in AI agent applications. Enterprises in the technology evaluation phase can prioritise Kingware in their first‑round testing for multi‑modal convergence. · Investor Perspective: The figure of over 1 million cumulative installations validates Kingware’s large‑scale delivery capability. Evolving from a single relational database to full convergence of eight data models takes a big step forward in Kingware’s technology leadership in the AI‑native multi‑modal database track. The existing user base of 1 million sets provides a natural “customer reach” channel for promoting its multi‑modal features (vector, graph, time‑series, etc.), likely accelerating the conversion from “domestic replacement” to “AI new‑scenario application.”
03|CockroachDB Officially Lands on IBM Power and IBM Cloud, Distributed Database Advances into Legacy Mainframe Ecosystem
On May 13, Cockroach Labs announced that CockroachDB will officially be available on the IBM Cloud catalog, with full support for IBM Power processor server systems. Customers can deploy and consume CockroachDB directly in IBM VPC and IBM Power Virtual Server, while maintaining consistency with workloads running on on‑premises IBM Power and other IBM platforms.
Allen Terleto, VP of Global Partnerships and Ecosystem at Cockroach Labs, stated: “Agentic AI marks a fundamental turning point, requiring a completely different approach to data infrastructure. With CockroachDB, IBM customers can unify globally distributed transactions and AI‑driven data access patterns on a single platform, building agent‑scale distributed applications without being constrained by legacy architectures.” The service allows customers to procure and consume under existing IBM Cloud agreements, including committed consumption credits, and includes IBM‑supported service‑level agreements.
· DBA Perspective: CockroachDB entering the IBM Power mainframe ecosystem sends a clear signal to DBAs focused on distributed SQL: the traditional “scale‑up” monolithic fortress is giving way to “scale‑out” cloud‑native distributed architecture. DBAs need to start learning the core trade‑offs of distributed systems: the CAP theorem, Paxos/Raft consensus algorithms, two‑phase commit for distributed transactions – moving from “single‑node tuning” to “distributed tuning.” Meanwhile, the PG‑compatible route (CockroachDB is PostgreSQL wire‑compatible) is becoming mainstream for distributed SQL. DBAs are advised to deepen their understanding of PostgreSQL kernel features. · CTO Perspective: IBM’s decision to bring CockroachDB into its core mainframe ecosystem is a key endorsement of distributed databases entering traditional strong‑consistency scenarios. IBM customers can modernise core systems incrementally – preserving their existing investment in IBM Power infrastructure while building a distributed data foundation for agent‑scale applications. For CIOs/CTOs with significant legacy IBM technical debt, this provides a reference path for a smooth transition from monolithic to distributed cloud‑native architecture. At the same time, when selecting technology, attention should be paid to distributed‑SQL‑specific cost variables such as “write amplification” and “cross‑region latency.” · Investor Perspective: The deep integration partnership between CockroachDB and IBM signals that the penetration of distributed SQL into traditional industries such as finance and manufacturing is accelerating. IBM’s vast enterprise customer base provides a strategic sales channel for CockroachDB. Service providers around the distributed database ecosystem can expect their potential customer reach to expand. CockroachDB’s future IPO or M&A valuation may also attract additional institutional investor attention due to this deep tie with IBM.
04|Latest Research Report: 26% of Enterprise MySQL Databases Exposed to Public Internet, Fix Times Show Significant Industry Variation
Cybersecurity firm Intruder’s latest “2026 Attack Surface Management Index,” based on anonymised data from 3,000 organisations, found that 26% of organisations have MySQL databases exposed to the internet. PostgreSQL exposure is similarly prominent. Exposed assets also include API documentation (over 1/7), WordPress Admin (15%), and phpMyAdmin (8%).
In terms of remediation speed, significant differences exist across organisation sizes and industries: small organisations average 14‑18 days to fix, while medium‑sized enterprises (5,000‑10,000 employees) take an average of 56 days – nearly four times slower. By industry, banks average only 11 days to eliminate exposure, retailers 10 days, but insurers average nearly 50 days, and pharmaceuticals/automotive average 43 days.
Chris Wallis, CEO of Intruder, warned: “The emergence of autonomous AI models has fundamentally changed the cybersecurity landscape. The time window from vulnerability discovery to exploitation is compressing dramatically. In this high‑speed era, exposing MySQL databases or private API documentation to the internet is akin to opening the door wide for automated high‑speed ransomware.”
· DBA Perspective: The finding that one‑quarter of enterprises have MySQL databases directly exposed to the public internet is alarming and far exceeds safe tolerance thresholds. Even if the databases themselves are hardened, public exposure dramatically increases the risk of being scanned and brute‑forced by automated attack tools. Combined with the recent spate of high‑risk CVE disclosures, publicly exposed databases hand attackers both the “entry point” and the “weapons.” DBAs should immediately work with security teams to: scan public IP ranges for database ports reachable from the internet; enforce whitelist access controls on all public‑facing databases or migrate them to internal/private networks; and enable multi‑factor authentication and anomaly login alerts for databases that cannot be taken offline immediately. · CTO Perspective: The core reason why medium‑sized enterprises (5,000‑10,000 employees) have the slowest remediation speed is that “asset expansion outpaces security governance capability.” As technical teams manage an explosion of public‑facing assets, the security response speed and policy coordination efficiency for vulnerability patching become diluted. Management should establish “exposure management” as a dedicated metric, create regular asset inventory mechanisms for databases, API services, and O&M platforms, and compress remediation times from the industry average of 40‑50 days to less than two weeks. · Investor Perspective: The 26% MySQL public exposure rate and the 56‑day remediation time for medium‑large enterprises indicate that there are still many “blind spots” in enterprise attack surface management. Autonomous AI models are forcing enterprises to increase spending on attack surface monitoring and automated defence. Security companies focused on exposure scanning, intelligent attack surface management, and automated remediation orchestration are likely to see sustained growth in enterprise procurement demand. The remediation speed of around 10 days in the finance and retail sectors demonstrates the value of refined operations, and will also provide pricing leverage for similar security vendors when negotiating with insurers and manufacturing clients.
05|Weekly Security Vulnerability Recap: Dataease SQL Injection CVE-2026-8724 and Others Exposed, BI Platforms Like Oinone Become Prime Targets
Around May 17, several security vulnerabilities in databases and BI platforms were disclosed. Dataease, an open‑source data visualisation and analysis platform, was found to have a critical SQL injection vulnerability in version 2.10.20 (CVE-2026-8724). The vulnerability resides in the SqlparserUtils.transFilter function of the data dashboard component, allowing attackers to inject malicious SQL via crafted requests. Proof‑of‑concept exploit code has been publicly released, increasing the risk of actual attacks.
Other disclosures include an SQL injection risk in the RSQLToSQLNodeConnector.makeVariable interface in multiple versions of the Oinone platform (CVE-2026-45557), and a severe risk in SiYuan Note (versions before 3.7.0) where 8 API endpoints lacking proper authorisation management could lead to configuration and SQL index tampering.
The surge in vulnerabilities highlights that data integration platforms such as BI platforms, low‑code platforms, and knowledge management tools are being chosen by attackers as key entry points into enterprise internal networks. These platforms typically have direct read/write access to backend databases. Once attackers compromise the API layer via injection or privilege bypass vulnerabilities, they can directly exfiltrate or tamper with core data assets.
· DBA Perspective: With exploit code for CVE-2026-8724 publicly available, this is a high‑priority zero‑day threat requiring immediate action. Dataease, Oinone, SiYuan and similar platforms have the ability to directly connect to or manage backend database clusters. Attackers exploiting injection vulnerabilities in these BI/low‑code platforms can compromise the API layer and launch data theft or tampering attacks on production databases. DBAs should urgently work with data governance teams to inventory all “intermediate analytical platforms with database read/write privileges,” enforce parameterised query constraints on exposed API endpoints, apply least‑privilege database accounts, and implement IP whitelisting for access sources. · CTO Perspective: SQL injection risks in data visualisation and low‑code development tools are accelerating in the context of AI‑driven development velocity. The API exposure and database connection privileges of these BI platforms often exceed the granularity of routine security assessments and are easily overlooked by security teams. It is recommended that technology management include “BI platform security” and “low‑code governance” in regular enterprise red‑team exercises, and integrate critical reporting APIs into the API gateway’s unified authentication and auditing framework. · Investor Perspective: Open‑source data platforms like Dataease are increasingly deployed in AI projects and enterprise data portals, but their security maturity lags far behind. The public release of exploit code for CVE-2026-8724 could trigger a wave of enterprise core data breaches, forcing enterprises to purchase security auditing and vulnerability scanning services tailored to BI platforms. Moreover, startups at the intersection of data governance and data security (offering solutions such as BI security gateways or data access firewalls) may see their commercial value re‑evaluated by the capital market.
📅 Recent Database Hot Topics Recap
Date Event Core Highlights May 11 Vastbase private placement of up to RMB 702M RMB 489M for HTAP, RMB 213M for multi‑modal time‑series; four years of losses a key point of contention May 13 CockroachDB lands on IBM Cloud & IBM Power Distributed database enters legacy mainframe ecosystem; Agentic AI drives architecture evolution May 14 Alibaba Cloud RDS MySQL 8.4 GA First LTS release, AliSQL kernel optimisation; smooth upgrade window from 8.0→8.4 opens May 14 PostgreSQL 18.4 and other security updates released 11 security vulnerabilities fixed; PG 14 EOL on November 12 May 15 CETC Kingware KES V9 2025 Fusion Edition announced Native multi‑modal convergence architecture supporting 8 data models; cumulative installations exceed 1 million May 15 Intruder report: 26% of enterprise MySQL exposed to internet Medium‑large enterprises take 56 days to fix; significant industry variation May 17 Dataease SQL injection CVE-2026-8724 exposed BI platforms become key entry points for attackers into enterprise networks May 29 Tencent Cloud “Database + AI” product launch Debut of six core engines; AI‑In‑Database roadmap culminates
📌 Issue Summary
News Core Keywords DBA Actions CTO/Decision‑Maker Focus Investor Perspective Vastbase private placement of RMB 702M HTAP integration, multi‑modal time‑series, four years of losses HTAP hybrid workload tuning + time‑series data processing; proactively learn row/column hybrid storage design Evaluate both HTAP product delivery capability and vendor financial health Subscription enthusiasm from institutional investors is key indicator of market confidence CETC Kingware KES V9 Fusion Edition Native multi‑modal convergence, 8 data models, 1M+ installations Learn multi‑modal fused query syntax and resource isolation under mixed workloads “Three lows, one smooth” migration approach provides large‑scale validation benchmark for core Xinchuang transformation 1M+ installation base offers natural channel advantage for promoting multi‑modal products CockroachDB enters IBM ecosystem Distributed SQL, Power mainframe, Agentic AI Move from single‑node tuning to distributed tuning; master Paxos/Raft and distributed transactions IBM endorsement reduces selection risk for distributed SQL in core scenarios IBM’s vast customer base provides strategic sales channel for CockroachDB Intruder exposure report 26% MySQL public exposure, remediation time variation Immediately scan public database ports; enforce whitelist access and MFA Establish exposure management metrics; compress remediation time to under 2 weeks Attack surface management security companies see sustained procurement demand Weekly security vulnerability recap Dataease injection, BI platforms as prime targets Inventory all “database‑connected” intermediate platforms; enforce parameterised queries on APIs Include BI and low‑code tools in regular red‑team exercises Data security + data governance cross‑category startups attract capital re‑evaluation
HiddenMerit Team Production Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
