Open source code sits inside nearly every commercial application, and development teams continue to add new dependencies. Black Duck’s 2026 Open Source Security and Risk Analysis Report data shows that nearly all audited codebases contain open source components, with average component counts rising sharply over the past year.
That growth brings a parallel increase in exposure. Mean vulnerabilities per codebase climbed from 280 to 581 in one year, more than doubling. Median vulnerabilities also rose. The spread between mean and median points to a long tail of heavily burdened applications, including extreme outliers with tens of thousands of findings.
Top 10 most prevalent CVEs and BDSAs in 2025 (Source: Black Duck)