Unapplied Patches Drive Majority of Open Source Breaches
New report finds security incidents are a "routine reality" for nearly half of organizations using open-source software in production.
- By Jesse Jacobs
- Feb 20, 2026
Security practitioners are increasingly viewing cybersecurity incidents as a routine operational risk, with 47.8% of organizations reporting at least one incident involving open-source software in the past 12 months, according to a new report from TuxCare.
The 2026 Open Source Landscape Report, which surveyed software engineers, system administrators and security analysts, found that the connection between security breaches and unapplied patches remains a critical pain point. Among organizations that experienced an incident, 61.4% reported that a patch was available at the time of the event but had not been deployed. This figure represents a slight increase from 60.4% in the previous year.
Researchers noted that the lack of improvement in patching stats suggests enterprises continue to struggle with the timing, prioritization and deployment of updates despite the known risks.
The report also highlighted a shift in how organizations manage the open-source lifecycle. While internal tracking and dependency tools have become standard, they often fail to prevent "end-of-life" (EOL) breakages. The findings suggest that while tools can identify what software is in an environment, they frequently miss looming lifecycle risks unless the organization has established clear ownership and review cadences.
According to the study, lifecycle awareness is increasingly viewed as an operational challenge rather than a purely technical one.
Beyond incident trends, the third annual report analyzed Linux vulnerability management and open-source supply chain security, reflecting a respondent base primarily composed of technical practitioners responsible for daily uptime and risk management.