Unapplied Patches Drive Majority of Open Source Breaches

New report finds security incidents are a "routine reality" for nearly half of organizations using open-source software in production.

Security practitioners are increasingly viewing cybersecurity incidents as a routine operational risk, with 47.8% of organizations reporting at least one incident involving open-source software in the past 12 months, according to a new report from TuxCare.

The 2026 Open Source Landscape Report, which surveyed software engineers, system administrators and security analysts, found that the connection between security breaches and unapplied patches remains a critical pain point. Among organizations that experienced an incident, 61.4% reported that a patch was available at the time of the event but had not been deployed. This figure represents a slight increase from 60.4% in the previous year.

Researchers noted that the lack of improvement in patching stats suggests enterprises continue to struggle with the timing, prioritization and deployment of updates despite the known risks.

The report also highlighted a shift in how organizations manage the open-source lifecycle. While internal tracking and dependency tools have become standard, they often fail to prevent "end-of-life" (EOL) breakages. The findings suggest that while tools can identify what software is in an environment, they frequently miss looming lifecycle risks unless the organization has established clear ownership and review cadences.

According to the study, lifecycle awareness is increasingly viewed as an operational challenge rather than a purely technical one.

Beyond incident trends, the third annual report analyzed Linux vulnerability management and open-source supply chain security, reflecting a respondent base primarily composed of technical practitioners responsible for daily uptime and risk management.

About the Author

Jesse Jacobs is assistant editor of SecurityToday.com.

Featured

New Products

  • Squire Vulcan Combination Padlocks

    Squire Locks USA Vulcan™ Resettable Combination Padlocks

    Stop competing with flimsy, retail-grade hardware—Squire's professional-grade resettable padlocks deliver heavy-duty boron steel shackles and front-facing dials for rugged outdoor environments.

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.