EOL Vulnerabilities in Open Source Software: A Hidden Risk

Severity: High (Score: 67.5)

Sources: www.sonatype.com, Bleepingcomputer, www.herodevs.com

Summary

Security teams are facing significant risks from end-of-life (EOL) open source software due to unpatched vulnerabilities. When vulnerabilities are discovered, maintainers file CVEs with defined affected ranges, but EOL versions often fall outside these ranges, leading to a lack of alerts. This issue is exacerbated by the doubling of global CVE counts and a 37x increase in unscored CVEs over five years. Sonatype's 2026 report highlights that 167,286 exploitable components went unflagged in 2025 due to EOL versions being omitted from advisories. A recent critical vulnerability, CVE-2026-22732, affects Spring Security 6.2.x, which reached EOL in December 2025, yet is not listed in the official CVE record. Organizations using Spring Boot 3.2, which includes Spring Security 6.2, are at risk without scanner alerts. HeroDevs has confirmed that EOL versions are often affected by new CVEs, necessitating backported fixes approximately 80% of the time. This situation creates a false sense of security among organizations relying solely on standard vulnerability scanners. Key Points: • EOL open source software poses hidden security risks due to unpatched vulnerabilities. • CVE-2026-22732 affects Spring Security 6.2.x, which is not listed in official advisories. • HeroDevs finds EOL versions are affected by new CVEs 80% of the time, highlighting scanner limitations.

Key Entities

• Zero-day Exploit (attack_type)
• CVE-2026-22732 (cve)
• Crates.io (platform)
• Spring Boot (platform)
• Spring Security (platform)