Datadog 2026 Report Reveals 87% of Organizations Deploy Software Containing Known Exploitable Vulnerabilities

New Datadog research finds 87% of firms run exploitable software. Learn why third-party risks and unmaintained libraries are driving a global security debt crisis.

By: AXL Media

Published: Mar 4, 2026, 4:41 AM EST

Source: The information in this article was sourced from ITPro

The Persistent Challenge of Exploitable Software Vulnerabilities

A comprehensive study of the global software delivery lifecycle has revealed that the vast majority of organizations are currently operating services with known, exploitable security flaws. According to Datadog’s 2026 State of DevSecOps report, 87% of enterprises have deployed at least one such vulnerability, a statistic that underscores the inherent risks in modern rapid-deployment environments. The problem is particularly acute in Java-based services, where nearly 60% of applications contain exploitable defects, followed by .NET and Rust at 47% and 40% respectively. These figures suggest that despite the maturation of security tools, the baseline safety of deployed code remains a significant concern for the industry.

The Growing Crisis of Stagnant and Unmaintained Dependencies

The report identifies a worrying trend in the accumulation of "technical debt" related to third-party software libraries. Data shows that 42% of active services now rely on libraries that have been abandoned by their maintainers, leaving them without future security patches or performance updates. Furthermore, the median software dependency has fallen 278 days behind its latest major version, a notable increase from the 215-day gap recorded just one year ago. This lag is even more pronounced in specific ecosystems, with Java and Ruby dependencies trailing by 492 and 357 days respectively, creating a massive backlog of outdated code that is increasingly difficult to secure.

The Paradox of Speed and Supply Chain Compromise

While rapid patching is traditionally viewed as a security best practice, the report warns that extreme speed can introduce its own set of risks. Approximately half of the surveyed organizations now adopt new library versions within 24 hours of their release, a pace that researchers suggest may facilitate supply chain attacks. By updating immediately without adequate vetting, teams risk unknowingly installing malicious code injected into new releases before the community can identify the threat. This tension between the need to patch known flaws and the risk of automated supply chain poisoning has left many DevSecOps teams in a difficult strategic position.