How to find end-of-life software before it bites you

Q: Why is end-of-life software a security risk?

Once a release is end-of-life the vendor stops shipping security patches, so any new vulnerability stays unfixed forever. See what is end-of-life software .

Q: Is EOL the same as a vulnerability?

Not exactly — it is a risk multiplier. EOL software may have no known CVE today, but when one lands there is no official fix, so the exposure only grows over time.

Q: How far ahead should I plan upgrades?

Aim to migrate before EOL, not after. Start planning 6–12 months out for anything material, since upgrades often touch dependencies and need testing.

Q: How can I see what is going EOL across my stack?

The IsItPatched end-of-life calendar tracks support dates for many products, and My Stack flags EOL items in your monitored set.

End-of-life · 6-min read · Open the EOL calendar → · updated June 2026

End-of-life software is a quiet, compounding risk: it works fine until a vulnerability lands and there's no patch coming, ever. The cure is boring and effective — know your support dates and upgrade before they pass.

The four steps

Inventory what you run

List every product and major version in production — OS, runtimes, frameworks, databases, libraries. You cannot track support dates for software you have not written down.

Look up each support lifecycle

For each, find the end-of-support / end-of-life date for the version you run. Vendors and endoflife.date publish these.

Flag what is already EOL or close

Anything past EOL is getting no security fixes — treat new CVEs against it as permanent. Anything within ~6–12 months needs an upgrade plan now.

Plan upgrades before patches stop

Sequence migrations by exposure and effort, and budget the work. Upgrading on your schedule is far cheaper than doing it during an incident.

How to triage what you find

Status	Meaning	Action
Past EOL	No more security fixes	Upgrade or isolate now; treat new CVEs as unfixable
EOL < 6 months	Support ending soon	Have a migration plan in flight
EOL < 12 months	On the horizon	Budget and schedule the upgrade
Supported	Patches still flow	Keep current; re-check lifecycle yearly

Don't forget dependencies. An app can be "current" while bundling an EOL library or runtime. Check the components inside, not just the top-level product — that's where an SBOM helps.

Turn this into action. Unsupported software stops getting security fixes. How to inventory it, see what is about to go EOL, and plan upgrades before the patches stop.

Open the EOL calendar — free →

Frequently asked questions

Why is end-of-life software a security risk?

Once a release is end-of-life the vendor stops shipping security patches, so any new vulnerability stays unfixed forever. See what is end-of-life software.

Is EOL the same as a vulnerability?

Not exactly — it is a risk multiplier. EOL software may have no known CVE today, but when one lands there is no official fix, so the exposure only grows over time.

How far ahead should I plan upgrades?

Aim to migrate before EOL, not after. Start planning 6–12 months out for anything material, since upgrades often touch dependencies and need testing.

How can I see what is going EOL across my stack?

The IsItPatched end-of-life calendar tracks support dates for many products, and My Stack flags EOL items in your monitored set.

This guide is vendor-neutral and informational, grounded in publicly-available guidance from bodies such as OWASP, NIST and CISA. IsItPatched is independent and not affiliated with them, and this is not legal or compliance advice. See our disclaimer.

← Browse all guides · Security glossary →