Featured Posts

Jetty End of Life Dates: Jetty 9, 10, 11, and 12 (2026 Guide)

Complete EOL timeline for every modern Eclipse Jetty release, the Servlet and Jakarta EE specs each version implements, and what to do now that Jetty 9, 10, and 11 are no longer published to Maven Central.

30 CVEs in Two Months: What the Spring Numbers Tell Us About the Future of Open Source Security

Why the CVE explosion is breaking traditional security models—and what enterprises must do next.

Spring Security April 2026: 7 CVEs Including Two Critical Authorization Bypasses

How a single April 21 advisory cycle reshaped the Spring Security threat model from CVSS 9.6 client registration through 8.1 servlet path matching

CVE-2026-40982: Critical Spring Cloud Config Server Directory Traversal (CVSS 9.8)

A pre-auth path traversal in spring-cloud-config-server lets unauthenticated attackers read arbitrary files on the host. Affects 3.1.x through 5.0.x, with no upstream fix for EOL branches.

CVE-2025-55752: Relative Path Traversal in Apache Tomcat Rewrite Valve

How a regression in Tomcat's URL rewrite pipeline bypasses /WEB-INF/ and /META-INF/ protections and opens a path to remote code execution when PUT is enabled

Spring Boot April 2026: 8 CVEs Including CVE-2026-40976 Critical

How a single April 23 release fixed eight Spring Boot vulnerabilities, dominated by auto-configuration paths that silently weakened production security

Log4j 2.17.x: Five Unpatched CVEs Now Resolved with NES for Apache Log4j 2

HeroDevs releases a drop-in replacement for Log4j 2.17.x patching two TLS hostname verification bypasses and three log pipeline vulnerabilities with no upstream fix available.

The Q2 2026 EOL Survival Guide: MySQL, Node 20, Django, Angular, Spring

Five major frameworks. Ninety days. Your survival guide to the most concentrated open source EOL wave in history.

CVE-2026-22752: Spring Authorization Server Critical — XSS, SSRF, and Privilege Escalation

How a flaw in dynamic client registration exposes OAuth servers to XSS, SSRF, and token abuse.

EOL Open Source Is Now a CRA Compliance Problem. Most Teams Don't Know Which Components They're Exposed On.

September 11, 2026 is when manufacturer reporting obligations begin. December 11, 2027 is full enforcement. Here is what each deadline actually requires — and what EOL open source components mean for your compliance posture before both dates arrive.

CVE-2025-24813: Remote Code Execution in Apache Tomcat via Partial PUT Path Equivalence

How a path equivalence flaw in the default servlet exposed Apache Tomcat to unauthenticated RCE, information disclosure, and file injection, and why it is now in CISA's Known Exploited Vulnerabilities catalog

Spring Boot Versions, EOL Dates, and Latest Releases (April 2026)

The current Spring Boot release, every supported branch, every end-of-life date, and what to do if you are stuck on an unsupported version. Updated for April 2026.

CVE-2026-1207: SQL Injection in Django Raster Lookups (PostGIS)

How a missed parameterization in PostGIS raster band index lookups exposes every Django version, including the unevaluated EOL ones

Introducing EOLDS: See Every EOL Dependency in Your Stack

Find every end-of-life dependency before your auditor does—and fix the risks your scanner can’t see.

Application Security in 2026: Why Old jQuery CVEs Still Dominate Codebases

Vulnerabilities are not new, yet they persist because organizations fail to patch or migrate away from outdated versions.