There are concerning security flaws in contemporary development, according to Datadog's State of DevSecOps 2026 report This article explores vulnerability prevalence language. . According to an analysis of thousands of applications, 87% of organizations have at least one exploitable vulnerability that impacts 40% of their services.

Vulnerability Prevalence by Language: Java services have the most exploitable vulnerabilities (59%), followed by.NET (47%), and Rust (40%). End-of-life (EOL) runtimes increase risks; 10% of services use EOL versions, followed by PHP at 13% and Go at 23%. Vulnerability rates for EOL services are 50%, while those for supported languages are 37%. Java is 492 days behind the most recent versions, while median dependencies are 278 days behind, up from 215 days the previous year.

Compared to daily deployments, less frequent deployments (less than monthly) have 70% more outdated libraries.

Due in part to Spring Framework CVEs, newer libraries (2025) have an average of 1.3 vulnerabilities compared to 3.8 in 2023. CVE ID Affected Component CVSS Score Versions CVE-2023-20861 have been fixed. The Spring Framework 5.9 (Medium) DoS through crafted SpEL expressions CVE-2023-34034 6.0.7+, 5.3.26+, and 5.2.23+ Access control is broken in Spring WebFlux/Security 9.8 (Critical).

Current Spring Security CVE-2025-30066 tj-actions/changed-files Secrets leaked by a high supply chain attack wiz+1 v46.0.1+ There are concerning security flaws in contemporary development, according to Datadog's State of DevSecOps 2026 report. 50% of organizations use libraries within a day of their release, putting them at risk for malware such as Shai-Hulud npm worms and s1ngularity (Aug 2025). 32% of Docker images and 12% of public AMIs are quickly grabbed, making name confusion attacks possible. This is lessened by pinning by commit SHA, cooldowns (like Yarn/pnpm), and reliable sources.

While 71% of GitHub Actions users never pin hashes, 80% use unpinned third-party hashes, and all users rely on marketplace actions. 2% of compromised actions, such as tj-actions, are executed. To prevent auto-updates, GitHub recommends full SHA pinning.

After context adjustment (runtime, exploits), only 18% of "critical" vulnerabilities are still present; PHP retains 49% and.NET drops 98%. The average number of high/critical vulnerabilities per app decreased from 13.5 to 8. Reduce alert fatigue by concentrating on real risks. Use X and LinkedIn to receive more real-time updates.

Make ZeroOwl your Google Preferred Source.