VYPR
trendPublished May 5, 2026· Updated May 17, 2026· 1 source

The EOL Blind Spot: Why Your SCA Tools Are Missing Critical Vulnerabilities

Software Composition Analysis (SCA) tools are failing to detect vulnerabilities in end-of-life (EOL) software because official CVE records often omit older versions from their affected ranges, creating a massive blind spot for security teams.

Security teams are facing a significant "blind spot" in their vulnerability management programs, as Software Composition Analysis (SCA) tools frequently fail to flag vulnerabilities in end-of-life (EOL) software. Because maintainers prioritize investigating and patching only currently supported versions, CVE records often omit older, EOL releases from their "affected versions" lists. Consequently, automated scanners—which rely on these official CVE ranges—do not report vulnerabilities for EOL software, creating a false sense of security for organizations running legacy components BleepingComputer.

The technical mechanism behind this gap is a lack of investigative bandwidth. As the volume of CVEs has doubled in just five years, the number of unscored CVEs has surged 37-fold BleepingComputer. Maintainers are forced to limit their analysis to active release lines, meaning that when a vulnerability is disclosed, the official affected range provided in the CVE record is often incomplete. Research indicates that for approximately 80% of CVEs disclosed on supported packages, EOL versions are also affected, yet they remain unlisted in the official records BleepingComputer.

A concrete example of this issue surfaced in March 2026 with CVE-2026-22732, a critical vulnerability in Spring Security with a CVSS score of 9.1. The flaw causes security response headers—such as Cache-Control, X-Frame-Options, and Content-Security-Policy—to be silently dropped in specific configurations. While the official advisory lists Spring Security 5.7.x through 7.0.x as affected, it excludes version 6.2.x, which reached EOL in December 2025. Organizations running Spring Boot 3.2, which includes the vulnerable 6.2.x version, receive no alerts from standard scanning tools BleepingComputer.

The impact of this oversight is substantial. Sonatype’s 2026 State of the Software Supply Chain report identified 167,286 false negatives in 2025 alone—instances where exploitable components went unflagged by security tools. This suggests that the actual blast radius of many vulnerabilities is systematically wider than what is reflected in industry-standard CVE feeds BleepingComputer.

Currently, most security teams rely on data from sources like endoflife.date, which tracks roughly 350 projects and 7,000 specific EOL versions. However, this represents only a small fraction of the total EOL software in use across enterprise environments. Because scanners are calibrated to these known EOL lists and official CVE ranges, they are fundamentally ill-equipped to detect risks in the vast, unmonitored landscape of legacy software BleepingComputer.

This issue highlights a growing disconnect between the reality of software maintenance and the capabilities of modern security tooling. As the software supply chain continues to expand, the reliance on official CVE ranges as the sole source of truth for risk assessment is becoming increasingly untenable. Security teams may need to look beyond automated scanner output and consider specialized support or manual auditing for legacy components that no longer receive official security updates BleepingComputer.

Synthesized by Vypr AI