Black Duck Report Finds Open-Source Vulnerabilities per Commercial Codebase More Than Doubled
Black Duck’s 2026 Open Source Security and Risk Analysis (OSSRA) report found a sharp rise in open-source security debt across commercial software, with mean vulnerabilities per audited codebase increasing from ~280 to 581 (a 107% jump) and unique vulnerabilities averaging ~237. The report attributes the increase to expanding codebase size and dependency complexity—e.g., more files per codebase and more open-source components—while also pointing to AI coding assistants as a likely contributor to accelerated code volume growth and repeated inclusion of widely used libraries with long vulnerability histories.
Across the audited population (hundreds of codebases spanning multiple industries), the share of codebases containing at least one vulnerability remained consistently high (mid-to-high 80% range), but the absolute number of findings surged, including extreme outliers with tens of thousands of vulnerabilities in a single codebase. The report also notes that high/critical-severity issues remain common (most codebases have at least one high-risk issue; nearly half have at least one critical issue), and highlights broader ecosystem factors increasing disclosure volume (e.g., the Linux kernel becoming a CVE Numbering Authority) alongside ongoing software supply chain attack pressure, including malicious or compromised packages in major ecosystems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
EU Cyber Resilience Act obligations highlighted ahead of September 2026
The OSSRA report warned that the EU Cyber Resilience Act will increase obligations around vulnerability management, SBOM maintenance, and reporting timelines across a product's lifecycle. It identified outdated components and slow update cycles as growing compliance and security risks before the law takes effect in September 2026.
Black Duck published its 2026 OSSRA findings
On February 26, 2026, Black Duck's 2026 Open Source Security and Risk Analysis findings were reported publicly, showing average open-source vulnerabilities per commercial codebase rose from 280 to 581 year over year. The report also found growing codebase size, dependency sprawl, maintenance debt, and record license-conflict risk.
Organizations reported widespread software supply chain attacks
Black Duck reported that 65% of surveyed organizations experienced a software supply chain attack in the prior year. The report also pointed to malicious package activity across major ecosystems, including coordinated npm campaigns.
CISA added jQuery CVE-2020-11023 to the KEV catalog
CISA added CVE-2020-11023, a jQuery cross-site scripting vulnerability highlighted in the OSSRA findings, to its Known Exploited Vulnerabilities catalog. The report cites this as part of the broader rise in disclosed and tracked open-source risk.
Black Duck audited 947 codebases for its 2026 OSSRA report
Black Duck analyzed 947 commercial codebases spanning 2,843 projects across 17 industries for its 2026 Open Source Security and Risk Analysis report. The audit period ran from November 2024 through October 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Industry reports highlight growing software security debt and DevSecOps supply-chain exposure
Recent industry reporting based on *Veracode’s 2026 State of Software Security* findings indicates **security debt**—defined as known vulnerabilities left unresolved for more than a year—has become a widespread governance and risk-management issue for CISOs. Across analysis of **1.6 million unique applications** assessed via static/dynamic analysis, SCA, and penetration testing, Veracode reported security debt present in **82% of organizations** (up from 74% in 2025) and **critical security debt** in **60%** (up from 50%), reflecting that long-lived, high-severity/high-exploitability issues are increasingly persisting across release cycles, particularly in legacy or high-dependency code where teams are reluctant to make changes. Separately, *Datadog’s State of DevSecOps 2026* reporting describes software supply-chain and pipeline practices that sustain this exposure in cloud-native environments: **87% of organizations** were observed running at least one exploitable vulnerability in production services, affecting **40%** of those services. The report highlights growing dependency lag (median **278 days** behind the latest major version, up from 215 days) while also noting a countervailing risk pattern where **half of organizations** adopt third-party libraries within **one day** of release, increasing the chance of ingesting malicious or insufficiently vetted code; it also flags build/pipeline surface area (e.g., widespread GitHub Actions usage) as part of the broader DevSecOps risk picture.
Mar 21, 2026
Open-Source Supply-Chain Risk Amplified by AI-Accelerated Development and Automation
Software supply-chain compromise continued to blend into normal development activity, with attackers exploiting the speed and trust of modern workflows—third-party dependencies, automated updates, and rapid release cycles—to distribute malware and steal credentials. A ReversingLabs study covering 2025 open-source ecosystems reported **npm** as the dominant distribution channel for malicious packages, including incidents where attackers **compromised maintainer accounts** and shipped tainted updates that propagated quickly into downstream projects via routine dependency updates and CI/CD processes. One highlighted case was the **Shai-hulud** worm, described as a registry-native, self-propagating threat that used **stolen credentials** to inject malicious code into **hundreds of packages**, exposing **tens of thousands of downstream repositories** and complicating detection because it did not rely on external infrastructure. In parallel, commentary on generative AI’s impact on software delivery emphasized that faster code production and release pressure can increase security debt: reported industry claims that **20–30% of code** at major firms is AI-generated, alongside estimates that a large share of AI-generated code can introduce **OWASP Top 10**-class weaknesses, reinforcing the need for stronger testing and controls as development velocity increases.
Mar 21, 2026
Supply Chain and Vulnerability Data Gaps Undermining Security Programs
A recent ISC2 survey of over 1,000 cybersecurity professionals highlights growing concern about the risks introduced by expanding vendor ecosystems and supply chain sprawl. Nearly 70% of organizations are worried about third-party supplier risks, with the highest concern in enterprises and sectors handling sensitive data such as finance and government. Lack of visibility into vendor and subcontractor security practices remains a critical challenge, with many organizations relying on trust rather than verification. One in three respondents reported experiencing a vendor-related security incident in the past two years, yet almost half did not feel a direct impact, raising questions about continuity and the reliability of vendor security claims. Compounding these risks, a Sonatype analysis reveals that the vulnerability scoring infrastructure, particularly the NVD and CVE programs, is failing to keep pace with modern software development practices. In 2025, 64% of open source CVEs lacked a CVSS score in the NVD, forcing security teams to make risk decisions with incomplete data. Discrepancies in severity ratings and significant delays—averaging six weeks between disclosure and scoring—undermine the effectiveness of automated security tools and response cycles. These gaps in both supply chain visibility and vulnerability intelligence are eroding confidence in the data that underpins security programs, increasing the likelihood of both missed threats and wasted resources.
May 6, 2026