Featured Posts

The Long Tail of Open Source: Why Old Versions Never Really Die

Why production systems keep running EOL frameworks—and what it means for security, compliance, and modernization.

81,000 Open Source Package Versions Have Known CVEs and No Patch. Here's Why That Number Is Probably Much Higher.

The 2026 State of the Software Supply Chain Report put a number on unpatchable EOL vulnerabilities. The real figure may be five times larger.

CVE-2025-66614 & CVE-2026-24733: Two Tomcat Vulnerabilities That Also Affect Spring Boot 2.7

Apache Tomcat's request handling trusted protocol-level identity signals that attackers can forge — and if you're on Tomcat 8.5 or Spring Boot 2.7, no official patch is coming.

CVE-2025-52999: Denial of Service via Stack Overflow in Jackson Core

Deeply nested JSON can crash your application — and if you're on Spring Boot 2.7, the upgrade path is more complicated than it looks.

CRA Reporting Obligations Start September 2026: What EOL Dependencies Mean for Your Compliance

The EU Cyber Resilience Act creates new legal exposure for products containing end-of-life open-source software — and the 24-hour reporting deadline is six months away.

CVE-2026-2818 & CVE-2026-2817: Path Traversal and Insecure Temp Files in Spring Data Geode

Two newly disclosed vulnerabilities target the snapshot import feature in end-of-life Spring Data Geode — here's what they mean for your stack and how to remediate.

The AI Security Slop Problem: What I See Triaging Vulnerability Reports for Node.js and Enterprise OSS

AI Tools Are Flooding Bug Bounty Programs — and Real Researchers Are Paying the Price

Where Can I Find Detailed Information and Patches for Apache Struts Vulnerabilities?

A practical guide to locating official Apache Struts security advisories, CVE records, and supported patch options in 2026.

Why "Supported" ≠ "Secure" — And What EOL Really Means for Your Risk Profile

Most security programs assume that 'supported' means 'safe.' That assumption has a dangerous blind spot.

CVE-2026-27739: SSRF and Header Injection in Angular SSR Request Handling Pipeline

How Angular's URL reconstruction logic turned trusted headers into an attacker-controlled proxy

CVE-2026-27970: Cross-Site Scripting (XSS) in Angular i18n ICU Messages

How compromised translation files can execute arbitrary JavaScript in Angular applications using internationalization

Why Long-Term Support Isn’t Only an Enterprise Concern

Why small and mid-sized teams need long-term software support to stay secure, compliant, and focused on growth

My SCA Tool Flagged an EOL Component — What Now?

Your scanner shows green. Your dependency is abandoned. Here's how to understand the gap — and close it.

What the 2026 State of the Software Supply Chain Report Gets Right About End-of-Life Software

We partnered with Sonatype to quantify the EOL problem. Here's what the data actually showed — and what it means for your security program.

Dead Software Is the Vulnerability Your Scanner Misses. EOLDS Catches It — Free.

Introducing the End-of-Life Data Set (EOLDS), free End Of Life detection across 12 million+ packages.