Originally published on endoflife.ai.
Every day, endoflife.ai rebuilds a risk picture of the software the world actually runs — 459 technologies, every tracked release scored 0–100 for how dangerous it is to keep running past its support date. This is the June 2026 snapshot of that data: which technologies are most exposed, where end-of-life software intersects with vulnerabilities attackers are already exploiting, and the calendar of major releases going dark this year.
The headline finding isn't that old software exists — it always has. It's where the risk concentrates: the most exposed end-of-life technologies aren't obscure libraries, they're the infrastructure everything else is built on.
| Metric | Value |
|---|---|
| Technologies tracked & scored daily | 459 |
| Tied to actively-exploited vulnerabilities (CISA KEV) | 32 |
| In the Critical risk band (80–100) | 30 |
| With a release reaching EOL during 2026 | 190 |
How we measure it — the EOL Risk Score
Every number comes from a 0–100 score computed from four weighted factors:
- EOL Recency (0–40) — how long a release has been past end of life.
- Attack Surface (0–30) — how widely deployed and exposed the technology is.
- CISA KEV Exposure (0–20) — whether it appears in CISA's Known Exploited Vulnerabilities catalog (confirmed active attack).
- Extended Support (0–10) — whether a vendor or third party still offers paid patches.
Each technology's headline score reflects its most recently end-of-lifed release — the version a typical lagging deployment is most likely still running. Across all 459, the mean score is 52/100.
The dangerous intersection: EOL meets active exploitation
End-of-life software is a theoretical risk until it meets a real exploit. That's what makes the CISA KEV factor the most important signal — it separates "old but quiet" from "old and being attacked right now."
32 of 459 technologies (7%) are tied to actively-exploited vulnerabilities. And they're not edge cases — it's a roll-call of core infrastructure: Windows, Windows Server, Linux Kernel, RHEL, Debian, Ubuntu, CentOS, Python, Node.js, PHP, PostgreSQL, MySQL, MariaDB, MongoDB, Redis, Elasticsearch, OpenSSL, nginx, Apache Tomcat, Kubernetes, Docker Engine, Jenkins, GitLab, WordPress, Drupal, Joomla, SharePoint, Spring Framework, Spring Boot, Android, iOS, and macOS.
29 of the 30 highest-scoring technologies carry KEV exposure. An unsupported obscure CMS plugin is a contained problem. An unsupported OpenSSL, Linux kernel, or Kubernetes is a systemic one.
The 30 most critical technologies
| Technology | Latest retired release | Active exploits | Risk Score |
|---|---|---|---|
| Docker Engine | May 19, 2025 | In KEV | 95 |
| Windows Server | Oct 24, 2025 | In KEV | 90 |
| Windows | Nov 11, 2025 | In KEV | 90 |
| Apache Tomcat | Mar 31, 2024 | In KEV | 90 |
| Python | Oct 31, 2025 | In KEV | 90 |
| PostgreSQL | Nov 13, 2025 | In KEV | 90 |
| MongoDB | Sep 30, 2025 | In KEV | 90 |
| macOS | Feb 2, 2026 | In KEV | 90 |
| Kubernetes | Feb 28, 2026 | In KEV | 90 |
| iOS | Jan 26, 2026 | In KEV | 90 |
| Elasticsearch | Jan 15, 2026 | In KEV | 90 |
| Android | Mar 2, 2026 | In KEV | 90 |
| RHEL | Jun 30, 2024 | In KEV | 85 |
| Redis | May 25, 2026 | In KEV | 85 |
| OpenSSL | Apr 9, 2026 | In KEV | 85 |
| Node.js | Apr 30, 2026 | In KEV | 85 |
| MySQL | Apr 30, 2026 | In KEV | 85 |
| MariaDB | May 13, 2026 | In KEV | 85 |
| Linux Kernel | Apr 22, 2026 | In KEV | 85 |
| Debian | Aug 14, 2024 | In KEV | 85 |
| CentOS | Jun 30, 2024 | In KEV | 85 |
| Ubuntu | Jan 17, 2026 | In KEV | 80 |
| Spring Framework | Jun 30, 2025 | In KEV | 80 |
| Spring Boot | Dec 31, 2025 | In KEV | 80 |
| SharePoint | Apr 11, 2023 | In KEV | 80 |
| PHP | Dec 31, 2025 | In KEV | 80 |
| Joomla | Oct 14, 2025 | In KEV | 80 |
| Jenkins | Jan 21, 2026 | In KEV | 80 |
| Drupal | Dec 10, 2025 | In KEV | 80 |
| Amazon Linux | Dec 31, 2023 | — | 80 |
Docker Engine tops the list at 95/100 — a long-retired release, an enormous attack surface, and confirmed active exploitation.
The 2026 end-of-life calendar
190 technologies have a release reaching EOL in calendar 2026 — and 16 of those score 75+. The high-risk roster:
| 2026 EOL date | Technology | Risk Score |
|---|---|---|
| Jan 15 | Elasticsearch | 90 |
| Jan 17 | Ubuntu | 80 |
| Jan 21 | Jenkins | 80 |
| Jan 26 | iOS | 90 |
| Feb 2 | macOS | 90 |
| Feb 28 | Kubernetes | 90 |
| Mar 2 | Android | 90 |
| Apr 9 | OpenSSL | 85 |
| Apr 22 | Linux Kernel | 85 |
| Apr 30 | MySQL | 85 |
| Apr 30 | Node.js | 85 |
| May 13 | MariaDB | 85 |
| May 13 | nginx | 75 |
| May 20 | WordPress | 75 |
| May 21 | GitLab | 75 |
| May 25 | Redis | 85 |
The first half of 2026 alone retired high-risk releases across the database tier (MySQL, MariaDB, Redis, Elasticsearch), the runtime tier (Node.js, OpenSSL), orchestration (Kubernetes), and OS (Ubuntu, Linux, iOS, macOS, Android).
What it means for your stack
- The risk is concentrated, not diffuse. You don't need to audit 459 technologies — just which of the 30 critical ones (and 32 with active exploits) are in your environment, and which version.
- EOL is predictable; breaches from it aren't. Every date above was published years ahead. Put each EOL date in your roadmap the day you deploy.
- "Newer" isn't always "safer." Some technologies ship short-lived releases that EOL within months — a higher version number can be less supported.
Full interactive tables, live scores, and every technology's page are at endoflife.ai. The same data is free via the API and the Stack Scanner. Data rebuilt daily from the endoflife.date open dataset plus CISA KEV.
Top comments (0)