Original Data Report

The State of End-of-Life Software
in 2026

Published June 25, 2026 · endoflife.ai · 8 min read

Every day, endoflife.ai rebuilds a risk picture of the software the world actually runs — 459 technologies, every tracked release scored from 0 to 100 for how dangerous it is to keep running past its support date. This report is the June 2026 snapshot of that data: which technologies are most exposed, where end-of-life software intersects with vulnerabilities attackers are already exploiting, and the calendar of major releases going dark this year.

The headline finding is not that old software exists — it always has. It is where the risk concentrates: the most exposed end-of-life technologies are not obscure libraries, they are the infrastructure everything else is built on.

459
technologies tracked and risk-scored daily
32
tied to actively-exploited vulnerabilities (CISA KEV)
30
in the Critical risk band (score 80–100)
190
with a release reaching EOL during 2026
In this report
  1. How we measure it — the EOL Risk Score
  2. The dangerous intersection: EOL meets active exploitation
  3. The 30 most critical technologies
  4. The 2026 end-of-life calendar
  5. What it means for your stack

How We Measure It — The EOL Risk Score™

Every number in this report comes from the EOL Risk Score™, a 0–100 measure endoflife.ai computes for each technology from four weighted factors:

EOL Recency (0–40) — how long a release has been past end of life; the longer it runs unpatched, the higher it climbs. Attack Surface (0–30) — how widely deployed and exposed the technology is. CISA KEV Exposure (0–20) — whether the technology appears in CISA's Known Exploited Vulnerabilities catalog, the U.S. government's list of flaws confirmed to be under active attack. Extended Support (0–10) — whether a vendor or third party still offers paid patches.

Each technology's headline score reflects its most recently end-of-lifed release — the version a typical lagging deployment is most likely still running. Across all 459 technologies the mean score is 52 out of 100. The figures below are a point-in-time snapshot as of June 2026; because the data rebuilds daily, the live scores on each product page are always current.

The Dangerous Intersection: EOL Meets Active Exploitation

End-of-life software is a theoretical risk until it meets a real exploit. That is what makes the CISA KEV factor the most important signal in the dataset — it separates "old but quiet" from "old and being attacked right now."

32 of 459 technologies (7%) are tied to actively-exploited vulnerabilities. And they are not edge cases. The list is a roll-call of core infrastructure: Windows, Windows Server, Linux Kernel, RHEL, Debian, Ubuntu, CentOS, Python, Node.js, PHP, PostgreSQL, MySQL, MariaDB, MongoDB, Redis, Elasticsearch, OpenSSL, nginx, Apache Tomcat, Kubernetes, Docker Engine, Jenkins, GitLab, WordPress, Drupal, Joomla, SharePoint, Spring Framework, Spring Boot, Android, iOS, and macOS.

This is the finding that matters most. The technologies most likely to be both end-of-life and under active attack are the ones running underneath nearly every production system on earth. An unsupported obscure CMS plugin is a contained problem. An unsupported version of OpenSSL, the Linux kernel, or Kubernetes is a systemic one — and 29 of the 30 highest-scoring technologies in our dataset carry KEV exposure.

The 30 Most Critical Technologies

These are the technologies whose most-recently-retired release scores in the Critical band (80–100). The date column shows when that release reached end of life; "In KEV" flags the presence of an actively-exploited vulnerability. Click any score for the full breakdown.

TechnologyLatest retired releaseActive exploitsRisk Score™
Docker EngineMay 19, 2025In KEV95
Windows ServerOct 24, 2025In KEV90
WindowsNov 11, 2025In KEV90
Apache TomcatMar 31, 2024In KEV90
PythonOct 31, 2025In KEV90
PostgreSQLNov 13, 2025In KEV90
MongoDBSep 30, 2025In KEV90
macOSFeb 2, 2026In KEV90
KubernetesFeb 28, 2026In KEV90
iOSJan 26, 2026In KEV90
ElasticsearchJan 15, 2026In KEV90
AndroidMar 2, 2026In KEV90
RHELJun 30, 2024In KEV85
RedisMay 25, 2026In KEV85
OpenSSLApr 9, 2026In KEV85
Node.jsApr 30, 2026In KEV85
MySQLApr 30, 2026In KEV85
MariaDBMay 13, 2026In KEV85
Linux KernelApr 22, 2026In KEV85
DebianAug 14, 2024In KEV85
CentOSJun 30, 2024In KEV85
UbuntuJan 17, 2026In KEV80
Spring FrameworkJun 30, 2025In KEV80
Spring BootDec 31, 2025In KEV80
SharePointApr 11, 2023In KEV80
PHPDec 31, 2025In KEV80
JoomlaOct 14, 2025In KEV80
JenkinsJan 21, 2026In KEV80
DrupalDec 10, 2025In KEV80
Amazon LinuxDec 31, 202380
Docker Engine tops the list at 95/100. It is the single highest-scoring technology in the dataset — a combination of a long-retired release, an enormous attack surface, and confirmed active exploitation. If you run containers, the version of the engine underneath them deserves the same scrutiny you give the images on top.

The 2026 End-of-Life Calendar

190 technologies have a release reaching end of life in calendar 2026 — and 16 of those score 75 or higher, meaning a high-risk version of widely-used software goes unsupported in a predictable, schedulable window. There is no excuse for being surprised by any of these dates; they are published years in advance. Here is the 2026 roster of high-risk EOL events:

2026 EOL dateTechnologyRisk Score™
Jan 15Elasticsearch90
Jan 17Ubuntu80
Jan 21Jenkins80
Jan 26iOS90
Feb 2macOS90
Feb 28Kubernetes90
Mar 2Android90
Apr 9OpenSSL85
Apr 22Linux Kernel85
Apr 30MySQL85
Apr 30Node.js85
May 13MariaDB85
May 13nginx75
May 20WordPress75
May 21GitLab75
May 25Redis85

The first half of 2026 alone retired high-risk releases of the database tier (MySQL, MariaDB, Redis, Elasticsearch), the runtime tier (Node.js, OpenSSL), the orchestration tier (Kubernetes), and the OS tier (Ubuntu, Linux, iOS, macOS, Android). For most organisations, at least one of these is in production right now.

What It Means for Your Stack

The risk is concentrated, not diffuse. You do not need to audit 459 technologies. You need to know which of the 30 critical ones — and the 32 with active exploits — are in your environment, and which version you are on. That is a tractable, finite question.

EOL is predictable; breaches from it are not. Every date in the 2026 calendar was published years ahead. The gap between "we knew" and "we acted" is where incidents live. Put each EOL date in your roadmap the day you deploy, and an end-of-life never has to become an emergency.

"Newer" is not always "safer." Several technologies in our data ship short-lived releases that reach EOL within months — so a higher version number can be less supported than an older long-term release. The only reliable way to know is to check the specific version, not the marketing.

endoflife.ai exists to make that check trivial. Every technology in this report has a live page with its current Risk Score, full version history, and CISA KEV status — and the same data is available free through our API and as a one-shot Stack Scanner for your whole environment.

Find out where your stack sits in this data

Scan your environment against all 459 tracked technologies — free, no signup. Or pull the same Risk Scores straight into your tooling via the API.

Scan your stack Get the API Risk Score methodology
Go deeper

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.