Security — The CVE Blind Spot

Unsupported Software
Detection

Updated July 16, 2026 · endoflife.ai · Detection Guide · EOL Security

Your vulnerability scanner has a blind spot, and it's shaped exactly like end-of-life software. Scanners detect known vulnerabilities — published CVEs matched against installed versions. But when software goes EOL, researchers and maintainers largely stop filing and fixing CVEs against it. The result is perverse: the less supported a version is, the cleaner it can look in a scan. Detecting unsupported software takes a different kind of data — lifecycle dates, not vulnerability feeds — and that's what this page is about.

Why Scanners Miss Unsupported Software

A CVE only exists if someone finds a vulnerability, reports it, and gets it catalogued. Active projects generate a steady stream of them because people are looking. Once a version passes end of life, the maintainer stops patching, researchers move on, and the CVE stream dries up — not because the software got safer, but because nobody is watching it anymore. Unsupported software doesn't announce itself, either: it keeps serving traffic and passing health checks exactly as before. The only signal that anything changed is a date on a vendor lifecycle page, and that signal never appears in a vulnerability feed.

The blind spot in one sentence A zero-CVE scan result on an EOL version means nobody is looking — not that there's nothing to find.

CVE Scanning vs. EOL Detection

Vulnerability Scanning EOL Detection
Data source Published CVE feeds Vendor support lifecycles and EOL dates
Catches Known, catalogued vulnerabilities Versions that will never receive another patch
Fails when Nobody files CVEs against abandoned software A product's lifecycle isn't tracked
Answers "What is currently known to be broken?" "What will stay broken forever?"

These are complements, not substitutes. You need both — but most teams already have the first and are missing the second.

The Detection Toolkit

endoflife.ai covers the EOL side with lifecycle data for 480+ products, consumable three ways depending on how deep you want to go:

After Detection: What to Do With Findings

Detection produces a list; the list needs an order. The EOL Risk Score — a 0–100 benchmark weighing how long a version has been EOL, its attack surface, CISA KEV exposure, and whether extended support exists — gives you that order. From there, each finding gets one of two treatments: migrate to a supported version, or bridge the gap with paid extended support while a migration is planned. The EOL management guide covers that decision in full, and if the bridge is the right call, we can match you with an extended-support provider for free.

Find your blind spot now

Check a single product in seconds, or scan an entire dependency file.

Free · no signup required
Check a Product Now → Scan Your Stack Get Matched With Extended Support

Frequently Asked Questions

Why doesn't my vulnerability scanner detect unsupported software?

Vulnerability scanners match installed versions against published CVEs. When software goes end of life, researchers and maintainers largely stop filing and fixing CVEs against it — so an EOL version can look clean in a scan precisely because nobody is looking at it anymore. Detecting unsupported software requires lifecycle data (support dates), not vulnerability data.

How do I detect end-of-life software in my stack?

Three ways on endoflife.ai: look up a single product and version in the free EOL Checker; upload a dependency file (requirements.txt, package.json, Gemfile, or composer.json) to the Stack Scanner for a full lifecycle report; or query the API — free tier of 500 requests per day — to run detection continuously in CI/CD or an inventory job.

What counts as unsupported software?

Any version whose maintainer has stopped shipping security patches — either because the whole product reached end of life or because that specific version line fell out of its support window. It keeps running normally, which is exactly why it goes undetected.

What should I do with software I detect as EOL?

Prioritize it with the EOL Risk Score (a 0–100 benchmark), then either plan a migration or, if you need time, bridge the gap with extended support — endoflife.ai can match you with an appropriate provider for free.

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.