Datadog’s State of DevSecOps 2026 report delivers one of the clearest warnings yet: 87% of organizations have at least one service running a known exploitable vulnerability. These weaknesses impact 40% of all active services, revealing systemic issues across software supply chains, dependency management, and CI/CD security. [datadoghq.com], [cyberpress.org]
Based on analysis of thousands of applications, the report shows how outdated runtimes, unpatched libraries, unpinned GitHub Actions, and rapid adoption of new components collectively expose organizations to preventable compromise.
This article breaks down the findings, highlights critical trends, and outlines the remediation strategies DevSecOps teams need now.
Vulnerability Prevalence by Language
Datadog’s data shows a clear ranking of languages most affected by exploitable vulnerabilities:
- Java: 59% of services with exploitable flaws
- .NET: 47%
- Rust: 40% — proving even memory-safe languages do not eliminate all risk [cyberpress.org], [undercodenews.com]
This confirms that vulnerability exposure is not solely tied to language safety models but also ecosystem maturity, library update cycles, and the rate of dependency churn.
The Hidden Danger of End‑of‑Life (EOL) Runtimes
EOL runtimes significantly amplify exploitation risk.
Key data points from the report:
- 10% of all services run on EOL versions
- Go leads with 23% of services on unsupported versions
- PHP follows at 13%
- Services on EOL runtimes experience a 50% vulnerability rate, compared to 37% for supported versions [cyberpress.org], [datadoghq.com]
Why EOL equals danger:
Unsupported languages no longer receive patches, meaning publicly known CVEs remain exploitable indefinitely.
Dependency Lag: 278 Days Behind on Average
One of the most alarming trends is how outdated dependencies have become.
- Median dependency lag: 278 days behind latest releases (up from 215 last year)
- Java ecosystems show the worst delay at 492 days on average
- Services deploying less than monthly have 70% more outdated libraries than those deploying daily [cyberpress.org], [undercodenews.com]
This creates a massive window of opportunity where known, patched vulnerabilities remain active in production.
Newer Libraries Have Fewer Vulnerabilities
There’s a silver lining: libraries released in 2025 average just 1.3 vulnerabilities, compared to 3.8 in 2023, thanks in part to the resolution of high-profile Spring Framework CVEs. [cyberpress.org]
Examples of relevant Spring CVEs:
| CVE | Component | Severity | Description | Fixed Versions |
|---|---|---|---|---|
| CVE‑2023‑20861 | Spring Framework | 5.9 Medium | DoS via crafted SpEL expression | 6.0.7+, 5.3.26+, 5.2.23+ |
| CVE‑2023‑34034 | Spring WebFlux/Security | 9.8 Critical | Broken access control | Latest Spring Security |
| CVE‑2025‑30066 | tj‑actions / changed‑files | High | Supply chain attack leaking secrets | v46.0.1+ |
The Supply Chain Problem: Adopting New Libraries Too Fast
While dependencies lag, teams also move too fast in other areas:
- 50% of organizations adopt libraries within 24 hours of release
- This increases exposure to malware in new packages like s1ngularity (Aug 2025) and Shai‑Hulud npm worms
- 12% rapidly adopt public AMIs
- 32% pull unverified Docker images immediately after release
[cyberpress.org]
Risk:
Freshly released libraries have not yet undergone broad scrutiny. Threat actors increasingly seed malicious packages targeting fast adopters.
Mitigations:
- Commit SHA pinning
- Cooldowns (Yarn, pnpm)
- Trusted registries
- Artifact signing policies
GitHub Actions: A Silent Supply Chain Risk
Every organization using GitHub Actions relies on marketplace components, but the majority fail to pin versions correctly:
- 71% never pin actions to commit hashes
- 80% use unpinned third‑party actions
- 2% still run versions previously compromised (such as tj‑actions)
[cyberpress.org]
GitHub explicitly recommends full SHA pinning to prevent automatic updates from introducing malicious or unexpected behavior.
Only 18% of Critical Vulnerabilities Are Truly Critical
Contextual analysis reduces noise dramatically:
- Only 18% of vulnerabilities labeled “critical” remain critical after runtime analysis
- .NET vulnerabilities drop 98% once context is applied
- PHP retains 49%, indicating more meaningful severity distribution
- Average high/critical vulnerabilities per app dropped from 13.5 to 8 year‑over‑year
citeturn14search2
Why this matters
Teams overwhelmed by noisy alerts may waste time on theoretical risk while missing actively exploitable issues.
Context reduces alert fatigue and improves remediation efficiency.
What’s Driving the Security Gap?
Datadog’s chief observation:
“Security risk is increasingly shifting upstream—into build pipelines and dependencies—not just production code.”
— Datadog’s State of DevSecOps Report 2026 [datadoghq.com], [itwire.com]
Key upstream failure points:
- Outdated runtimes
- Unmaintained dependencies
- Unpinned GitHub Actions
- Rapid adoption of unvetted releases
- Supply chain attacks via npm, AMIs, Docker images
Modern development pipelines are faster than ever—security processes are not.
Best Practices: How to Reduce Vulnerability Exposure
1. Keep runtimes updated
EOL versions dramatically increase exploitability.
2. Shorten dependency lag
Set goals for <90 days behind latest releases.
3. Enforce GitHub Actions SHA pinning
Prevents silent upstream code changes.
4. Introduce cooldown periods
Avoid adopting libraries or images within 48–72 hours of release.
5. Evaluate true runtime risk
Use contextual vulnerability analysis to reduce noise.
6. Strengthen supply-chain controls
- Signed artifacts
- Trusted registries
- SBOM generation
- Continuous dependency scanning
Conclusion
The Datadog State of DevSecOps 2026 report makes one thing clear: exploitable vulnerabilities are now the norm, not the exception. With 87% of organizations exposed and supply-chain weaknesses accelerating risk, DevSecOps teams must modernize their security posture.
By focusing on runtime context, dependency hygiene, supply-chain integrity, and CI/CD hardening, organizations can dramatically reduce exploitable attack surfaces—and finally break the cycle of vulnerability debt.
