Featured Posts

Angular's 2026 CVE Surge: 21 New Advisories, No Patches for EOL Apps

Angular CVE disclosures are accelerating, AI is driving the discovery, and end-of-life Angular versions are the most exposed software you run.

Spring Boot 3.5 Is the Next One: How to Think About the Decision Before You Have to Make It

Spring shipped 30 CVEs in two months of 2026 — here's how to make the 3.5 → 4 decision on your timeline, not someone else's

CVE-2026-50555 & CVE-2026-50556 - Two High-Severity XSS Vulnerabilities in Angular SSR's DOM Serialization Layer

Inside the two server-side rendering XSS vulnerabilities affecting Angular 19 through 22, and why EOL versions can't patch

CVE-2026-50178 Angular Language Service VS Code Extension RCE

How unsanitized JSDoc hover content and a trusted Markdown renderer let a crafted project file execute arbitrary shell commands on a developer's machine

Ingress NGINX End of Life (March 2026): Risks, Migration Paths, and Support Options

Ingress NGINX reached end of life in March 2026. What is actually EOL, the security and compliance risks of staying, every migration path compared, and how to keep running it with full support while you migrate.

Spring Boot 4.0 Is Coming, and Your 3.x Apps Won't Just Recompile

Spring Boot 3.5 reaches open-source end of life on June 30, 2026. A new community guide from Steve Poole maps all 115 breaking changes in the move to 4.0, sorted by what breaks your build, your runtime, and your results.

Node.js Is Moving to One Release a Year. The People Who Ship It Explain Why.

HeroDevs sat down with Node.js TSC members Matteo Collina and Marco Ippolito to unpack the new annual release schedule, the paused bounty program, AI in vulnerability reports, and why so many teams still run end-of-life Node.js.

CVE-2026-40987: Spring Integration Remote-File Synchronizer File Write

How a remote-file synchronizer that writes a server-supplied filename under localDirectory without canonicalization lets a malicious FTP/SFTP/SMB server plant files anywhere on the client

CVE-2026-50168: Angular SSR SSRF Allowlist Bypass via URL Parser Differential in @angular/platform-server

CVE-2026-50168: Understanding the Angular SSRF Allowlist Bypass

TinyMCE XSS: Four Sanitization Bypass CVEs (CVE-2026-47759 to 47762)

How four separate content-sanitization gaps in TinyMCE let attacker-supplied editor content execute arbitrary JavaScript in any embedding application

Apache Tomcat Versions and EOL Dates: Tomcat 5.5 to Tomcat 11

A complete reference for every Apache Tomcat release timeline, the Tomcat 9 LTS plan, and what end-of-life means for the enterprise teams still running Tomcat 8.5 and 9 in production.

AI Coding Assistants Are Quietly Breaking Your Compliance Posture. Here’s How to Get It Back.

What senior leadership, security teams, compliance officers, and engineering leaders need to know about AI-accelerated open source adoption — and a practical path to stay compliant without slowing developers down.

Curated Open Source: What Replaces Reactive SCA Scanning in the AI-CVE Era

AI-driven CVE volume, maintainer burnout, and scanner blind spots are dismantling the scan-and-triage playbook. The replacement is curated open source: a deliberate posture where enterprises consume from a narrowed set of libraries with explicit ownership, SLAs, and commercial backing where it's needed.

95 Days to CRA Article 14: Your EOL Open Source Is Now a Compliance Liability

September 11 is when CRA Article 14 vulnerability reporting obligations begin. If your organization has end-of-life open source in production, here is the specific checklist your security and compliance teams need to work through before enforcement begins.

AI Cybersecurity Executive Order 2026: What It Means for EOL Software

A June 2026 executive order builds a national apparatus for AI-assisted vulnerability discovery. It accelerates the half of the lifecycle that hurts EOL software most — finding flaws — without generating patches for the frameworks that no longer have a maintainer.