Every year, dozens of major software products reach end of life. Vendors stop issuing security patches. CVEs accumulate indefinitely. And most organizations only find out when something breaks — or when an attacker finds out first.
2026 is a particularly heavy year for EOL events. Major runtime versions, widely deployed operating systems, core databases, and critical enterprise hardware are all crossing their support thresholds this year. This list covers the 50 most impactful — ranked by deployment breadth and security consequence.
How to Read This List
Each entry shows the product, version, EOL date, and a CVE risk rating based on the product's attack surface, deployment breadth, and historical vulnerability frequency. Critical means this product has been actively exploited in the wild and represents an urgent remediation priority. High means significant exposure with documented CVEs. Medium means lower deployment breadth or lower historical vulnerability frequency.
Part 1 — Already Past EOL in 2026 (Act Now)
These products reached end of life before May 2026. Every day you run them is another day of unpatched CVE exposure. These are not future risks — they are current ones.
| # | Product | Version | EOL Date | CVE Risk | Action |
|---|---|---|---|---|---|
| 01 | Windows 10 EOL | All editions | Oct 14, 2025 | Critical | Migrate to Windows 11 or enroll in ESU |
| 02 | Node.js 20 EOL | 20.x LTS | Apr 30, 2026 | Critical | Upgrade to Node.js 22 or 24 |
| 03 | MySQL 8.0 EOL | 8.0.x | Apr 30, 2026 | Critical | Upgrade to MySQL 8.4 LTS |
| 04 | Python 3.9 EOL | 3.9.x | Oct 5, 2025 | Critical | Migrate to Python 3.11 or 3.12 |
| 05 | PHP 8.1 EOL | 8.1.x | Dec 31, 2025 | Critical | Upgrade to PHP 8.3 or 8.4 |
| 06 | Ubuntu 20.04 LTS EOL | Focal Fossa | Apr 2, 2025 | Critical | Upgrade to Ubuntu 22.04 or 24.04 |
| 07 | Node.js 18 EOL | 18.x LTS | Apr 30, 2025 | Critical | Upgrade to Node.js 22 or 24 |
| 08 | Ruby 3.1 EOL | 3.1.x | Mar 31, 2025 | High | Upgrade to Ruby 3.3 or 3.4 |
| 09 | Redis 7.0 EOL | 7.0.x | Jul 31, 2025 | High | Upgrade to Redis 8.x or evaluate Valkey |
| 10 | Django 4.2 LTS EOL | 4.2.x | Apr 1, 2026 | High | Upgrade to Django 5.2 LTS |
| 11 | Amazon Linux 2 EOL | AL2 | Jun 30, 2025 | Critical | Migrate to Amazon Linux 2023 |
| 12 | Kubernetes 1.29 EOL | 1.29.x | Feb 28, 2026 | High | Upgrade to Kubernetes 1.32 or 1.33 |
| 13 | Kubernetes 1.30 EOL | 1.30.x | Jun 28, 2026 | High | Upgrade to Kubernetes 1.32 or 1.33 |
| 14 | Angular 17 EOL | 17.x | May 15, 2025 | High | Upgrade to Angular 19 or 20 |
| 15 | .NET 7 EOL | 7.x | May 14, 2024 | High | Upgrade to .NET 8 or .NET 9 |
| 16 | MongoDB 6.0 EOL | 6.0.x | Oct 1, 2025 | High | Upgrade to MongoDB 7.0 or 8.0 |
| 17 | Rails 7.0 EOL | 7.0.x | Apr 1, 2025 | High | Upgrade to Rails 7.2 or 8.0 |
| 18 | Laravel 10 EOL | 10.x | Feb 4, 2025 | High | Upgrade to Laravel 11 or 12 |
| 19 | Go 1.23 EOL | 1.23.x | Aug 1, 2025 | Medium | Upgrade to Go 1.24 |
| 20 | OpenSSL 3.1 EOL | 3.1.x | Mar 14, 2025 | Critical | Upgrade to OpenSSL 3.3 or 3.4 LTS |
Part 2 — Reaching EOL Before End of 2026 (Plan Now)
These products reach end of life between now and December 31, 2026. Migration projects for the items in this section need to be underway now — not started when the date arrives.
| # | Product | Version | EOL Date | CVE Risk | Action |
|---|---|---|---|---|---|
| 21 | Redis 7.2 Warning | 7.2.x | Jul 31, 2026 | High | Plan upgrade to Redis 8.x or Valkey |
| 22 | Python 3.10 Warning | 3.10.x | Oct 4, 2026 | Critical | Migrate to Python 3.11 or 3.12 |
| 23 | PHP 8.2 Warning | 8.2.x | Dec 31, 2026 | High | Upgrade to PHP 8.3 or 8.4 |
| 24 | Java 17 LTS Warning | 17.x | Sep 30, 2026 | Critical | Migrate to Java 21 or 25 LTS |
| 25 | .NET 8 Warning | 8.x | Nov 10, 2026 | High | Plan upgrade to .NET 9 or .NET 10 |
| 26 | Kubernetes 1.31 Warning | 1.31.x | Oct 28, 2026 | High | Plan upgrade to 1.33 |
| 27 | Angular 18 Warning | 18.x | Nov 20, 2026 | High | Plan upgrade to Angular 19 or 20 |
| 28 | Debian 11 Bullseye Warning | Bullseye | Jun 30, 2026 | Critical | Upgrade to Debian 12 Bookworm |
| 29 | PostgreSQL 14 Warning | 14.x | Nov 12, 2026 | High | Upgrade to PostgreSQL 16 or 17 |
| 30 | OpenSSL 3.0 LTS Warning | 3.0.x | Sep 7, 2026 | Critical | Upgrade to OpenSSL 3.4 LTS |
| 31 | Ruby 3.2 Warning | 3.2.x | Mar 31, 2026 | High | Upgrade to Ruby 3.3 or 3.4 |
| 32 | MariaDB 10.6 Warning | 10.6.x | Jul 6, 2026 | High | Upgrade to MariaDB 10.11 LTS or 11.4 LTS |
| 33 | Spring Framework 5.3 Warning | 5.3.x | Dec 31, 2026 | High | Migrate to Spring Framework 6.x |
| 34 | Windows 11 23H2 Warning | 23H2 | Nov 10, 2026 | High | Update to Windows 11 24H2 |
| 35 | Docker Engine 25 Warning | 25.x | Dec 1, 2026 | Medium | Upgrade to Docker Engine 26 or 27 |
| 36 | Angular 19 Warning | 19.x | May 22, 2026 | High | Upgrade to Angular 20 |
| 37 | Dell EMC Unity 300/400/500 Warning | Storage | Dec 31, 2026 | High | Migrate to Dell PowerStore |
| 38 | Kubernetes 1.32 Warning | 1.32.x | Feb 28, 2027 | High | Plan upgrade to 1.33 or 1.34 |
| 39 | Go 1.24 Warning | 1.24.x | Feb 1, 2027 | Medium | Plan upgrade when Go 1.25 releases |
| 40 | OpenSSL 3.3 Warning | 3.3.x | Apr 9, 2026 | Critical | Upgrade to OpenSSL 3.4 LTS immediately |
Part 3 — Critical Infrastructure EOL (2026 Hardware)
Hardware EOSL has the longest lead times and the highest remediation cost. These items should be in capital planning conversations now.
| # | Product | Platform | EOSL Date | Risk | Action |
|---|---|---|---|---|---|
| 41 | Cisco Catalyst 3650/3850 | Switching | Oct 31, 2025 | Critical | Replace with Catalyst 9300 series |
| 42 | Cisco ASA 5508-X / 5516-X | Firewall | Aug 31, 2027 | Critical | Migrate to Cisco Firepower 1000/2100 |
| 43 | HPE ProLiant Gen 9 | DL360/DL380 | Jan 31, 2024 | Critical | Replace with Gen 10 or Gen 11 |
| 44 | Dell PowerEdge 13G | R630/R730 | Oct 31, 2023 | Critical | Replace with PowerEdge 15G or 16G |
| 45 | Dell EMC VNX/VNX2 | Storage | Dec 31, 2023 | Critical | Migrate to Dell PowerStore |
Part 4 — Watch List: EOL in Early 2027
These products reach EOL in Q1 2027. Migration projects should be scoped and resourced before year-end 2026.
| # | Product | Version | EOL Date | CVE Risk | Action |
|---|---|---|---|---|---|
| 46 | Node.js 22 LTS | 22.x | Apr 30, 2027 | High | Begin planning migration to Node.js 24 |
| 47 | PostgreSQL 15 | 15.x | Nov 11, 2027 | High | Plan upgrade to PostgreSQL 17 |
| 48 | Django 5.0 | 5.0.x | Apr 1, 2026 | High | Upgrade to Django 5.2 LTS |
| 49 | Ruby 3.3 | 3.3.x | Mar 31, 2027 | Medium | Plan upgrade to Ruby 3.4 |
| 50 | Laravel 11 | 11.x | Aug 5, 2026 | High | Plan upgrade to Laravel 12 |
What to Do With This List
Cross-reference every item against your actual production stack. For any match, create a tracked ticket with an owner and a deadline. Don't leave it as a note — it needs to be in your issue tracker, assigned, with a date.
For items already past EOL: These are your immediate priorities. Apply compensating controls — network segmentation, enhanced monitoring, restricted access — while migration is underway. Do not wait for the migration to be complete before implementing controls.
For items EOL within 6 months: Migration projects should already be scoped. If they aren't, start the scoping conversation this week. Six months is enough runway if you start now. Two months is not.
For items EOL in 2027: These belong in your annual planning conversation. Budget and resource them now so there is no scramble when the date arrives.
This list is updated quarterly. For real-time EOL status on any product, use the EOL Checker or browse the Product Index. For your full dependency stack, upload your requirements file to the Stack Scanner.
Data sourced from endoflife.date, NIST NVD, CISA KEV catalog, and official vendor lifecycle pages. How we source data →