EOL Risk Intelligence
EOL Risk Score™
Is your software a security liability? The EOL Risk Score™ gives every end-of-life product a 0–100 risk rating based on how long it's been unpatched, its attack surface, active exploitation history, and whether any vendor support exists.
Instant 0–100 score for 455+ products · free · no account · or see the highest-risk products under active exploitation →
Live Scores
Node.js 18
EOL Apr 30, 2025
85
Critical
Recency 35 · Surface 30 · KEV 20 · Support 0
PHP 7.4
EOL Nov 28, 2022
90
Critical
Recency 40 · Surface 30 · KEV 20 · Support 0
Python 3.9
EOL Oct 31, 2025
80
Critical
Recency 30 · Surface 30 · KEV 20 · Support 0
Ubuntu 20.04 LTS
EOL Apr 2025
85
Critical
Recency 35 · Surface 30 · KEV 20 · Support 0
Node.js 22 LTS
EOL Apr 2027
50
Medium
Recency 0 · Surface 30 · KEV 20 · Support 0
Go 1.24
EOL Feb 2027
20
Low
Recency 0 · Surface 10 · KEV 0 · Support 10
Check a specific product or version
Score Bands
76–100
Critical
Past EOL with high attack surface and active exploitation history. Immediate action required.
51–75
High
Recently past EOL or approaching EOL with significant deployment breadth. Plan migration now.
26–50
Medium
Active software with high attack surface, or EOL software with extended support available.
0–25
Low
Actively supported with low attack surface and no known active exploitation.
The Four Factors
40pts max
Factor 1 — EOL Recency
How long ago a version reached end of life — or how soon it will. The longer a product has been past EOL with no patches, the greater the accumulated CVE exposure.
Scoring:
Active, EOL 6+ months away → 0 pts
EOL in 3–6 months → 8 pts
EOL in under 90 days → 15 pts
0–90 days past EOL → 25 pts
3–12 months past EOL → 30 pts
1–2 years past EOL → 35 pts
2+ years past EOL → 40 pts
Active, EOL 6+ months away → 0 pts
EOL in 3–6 months → 8 pts
EOL in under 90 days → 15 pts
0–90 days past EOL → 25 pts
3–12 months past EOL → 30 pts
1–2 years past EOL → 35 pts
2+ years past EOL → 40 pts
30pts max
Factor 2 — Attack Surface
The breadth of an EOL product's attack surface based on its category. Operating systems, runtimes, and databases are critical-tier — they underpin virtually everything else. Frameworks and tools are high-tier. Utilities and libraries are medium-tier.
Critical tier (30 pts): OS, runtimes (Node.js, Python, PHP, Java, Ruby, Go), databases (MySQL, PostgreSQL, MongoDB, Redis), TLS/SSH, mobile OS
High tier (20 pts): Web frameworks, container orchestration tools, CMS platforms, CI/CD systems
Medium tier (10 pts): Libraries, utilities, and niche tools
High tier (20 pts): Web frameworks, container orchestration tools, CMS platforms, CI/CD systems
Medium tier (10 pts): Libraries, utilities, and niche tools
20pts max
Factor 3 — CISA KEV Exposure
Whether the product family appears in the CISA Known Exploited Vulnerabilities catalog — meaning vulnerabilities in this product have been actively exploited in the wild. Products with confirmed active exploitation history represent a higher ongoing risk when running past EOL.
In CISA KEV catalog → 20 pts
Not confirmed in CISA KEV → 0 pts
Source: CISA Known Exploited Vulnerabilities Catalog
Not confirmed in CISA KEV → 0 pts
Source: CISA Known Exploited Vulnerabilities Catalog
10pts max
Factor 4 — Extended Support Availability
Whether a commercial vendor offers continued security patches for this product beyond the official EOL date. The existence of extended support partially mitigates risk — organizations can purchase a patch path. Products with no extended support option carry higher residual risk.
No extended support available → 10 pts
Extended support available → 0 pts
Vendors tracked: TuxCare (Ubuntu, Debian, CentOS, RHEL, PHP, Python, Node.js, Angular, React, Vue, Django)
Extended support available → 0 pts
Vendors tracked: TuxCare (Ubuntu, Debian, CentOS, RHEL, PHP, Python, Node.js, Angular, React, Vue, Django)
Real-World Score Examples
| Product | EOL Date | Score | Band | Recency | Surface | KEV | No Support |
|---|---|---|---|---|---|---|---|
| Node.js 16 | Sep 2023 | 90 | Critical | 40 | 30 | 20 | 0 |
| PHP 7.4 | Dec 2022 | 90 | Critical | 40 | 30 | 20 | 0 |
| Node.js 18 | Apr 2025 | 85 | Critical | 35 | 30 | 20 | 0 |
| Ubuntu 20.04 LTS | Apr 2025 | 85 | Critical | 35 | 30 | 20 | 0 |
| Python 3.9 | Oct 2025 | 80 | Critical | 30 | 30 | 20 | 0 |
| PHP 8.2 | Dec 2026 | 50 | Medium | 0 | 30 | 20 | 0 |
| Node.js 22 LTS | Apr 2027 | 50 | Medium | 0 | 30 | 20 | 0 |
| Go 1.24 | Feb 2027 | 20 | Low | 0 | 10 | 0 | 10 |
What the EOL Risk Score™ Is Not
✗ Not a CVE count
The score does not count specific CVEs. It quantifies the structural conditions that make EOL software dangerous — independent of any specific vulnerability.
✗ Not a penetration test
The score does not assess your specific configuration, network exposure, or compensating controls. It is a product-level signal, not an environment-level assessment.
✗ Not a replacement for a scanner
Vulnerability scanners and the EOL Risk Score™ serve different purposes. Scanners identify known CVEs in your environment. The EOL Risk Score™ identifies the structural risk of running software the vendor no longer patches.
✗ Not static
Scores are recalculated at every build using the current date. A product approaching EOL will increase in score as the date nears. Scores reflect the state of the world at build time.
Update Cadence
Scores are recalculated at every site build using the current date. EOL dates sourced from endoflife.date and official vendor documentation. CISA KEV product coverage is reviewed periodically. Attack surface tier assignments are reviewed quarterly.
Licensing
EOL Risk Score™ is a proprietary methodology developed by endoflife.ai. The score and methodology may be referenced with attribution. Commercial use or reproduction of the scoring methodology without permission is not permitted.
Check your stack's EOL Risk Score™
Every product and version page on endoflife.ai displays an EOL Risk Score™. Check yours — free, no account required.
Check a Product → Scan Your Stack →Add the EOL Risk badge to your README
Show your project's lifecycle status at a glance and link readers back to the live data. Paste either snippet into a GitHub README, docs page, or website.
Static badge
[](https://endoflife.ai/scanner)
Live badge — shows the real score for a specific version
[](https://endoflife.ai/postgresql)
Swap postgresql/14 for any product and version. Powered by the free endoflife.ai API.