Unapplied Patches Drive Majority of Open Source Breaches

New report finds security incidents are a "routine reality" for nearly half of organizations using open-source software in production.

Security practitioners are increasingly viewing cybersecurity incidents as a routine operational risk, with 47.8% of organizations reporting at least one incident involving open-source software in the past 12 months, according to a new report from TuxCare.

The 2026 Open Source Landscape Report, which surveyed software engineers, system administrators and security analysts, found that the connection between security breaches and unapplied patches remains a critical pain point. Among organizations that experienced an incident, 61.4% reported that a patch was available at the time of the event but had not been deployed. This figure represents a slight increase from 60.4% in the previous year.

Researchers noted that the lack of improvement in patching stats suggests enterprises continue to struggle with the timing, prioritization and deployment of updates despite the known risks.

The report also highlighted a shift in how organizations manage the open-source lifecycle. While internal tracking and dependency tools have become standard, they often fail to prevent "end-of-life" (EOL) breakages. The findings suggest that while tools can identify what software is in an environment, they frequently miss looming lifecycle risks unless the organization has established clear ownership and review cadences.

According to the study, lifecycle awareness is increasingly viewed as an operational challenge rather than a purely technical one.

Beyond incident trends, the third annual report analyzed Linux vulnerability management and open-source supply chain security, reflecting a respondent base primarily composed of technical practitioners responsible for daily uptime and risk management.

About the Author

Jesse Jacobs is assistant editor of SecurityToday.com.

Featured

New Products

  • ROAMEO and SARA new product image

    AITX ROAMEO™ and SARA™

    Deploy a unified, self-coordinating outdoor security presence by combining ROAMEO’s autonomous patrol capabilities with SARA’s proactive event assessment and real-time response.

  • Theia Technologies building fisheye

    Theia Technologies Linear Optical Technology®

    Learn how ultra-wide, zero-distortion rectilinear lens design improves spatial accuracy and eliminates the need for software de-warping in real-time robotic and automation systems.

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.