CVE-2026-11998 just dropped in AngularJS: a High-severity XSS that bypasses Strict Contextual Escaping and lets attackers load arbitrary scripts in the user’s browser. AngularJS went EOL in December 2021. The Angular team will never patch this. We already did. #AngularJS #CyberSecurity #XSS #CVE #WebSecurity
HeroDevs
Software Development
Sandy, Utah 7,077 followers
Secure Drop-In Replacements For Your Favorite Open Source Software | Security Patching • Compliance • Compatibility
About us
HeroDevs is the industry experts on “life after end-of-life” for open-source software. Our open-source packages and experts let you keep using your software safely and in compliance — allowing you to migrate if and when you’re ready. We let your developers focus on mission-critical work, while we keep your open-source stack running in the background.
- Website
-
https://herodevs.com
External link for HeroDevs
- Industry
- Software Development
- Company size
- 51-200 employees
- Headquarters
- Sandy, Utah
- Type
- Privately Held
- Founded
- 2018
- Specialties
- Web, Web Development, Architecture, Open Source, End-of-Life, Angular, Vue, Nx, React, Cypress, and AngularJs
Locations
-
Primary
Get directions
8850 S 700 East
2437
Sandy, Utah 84070, US
Employees at HeroDevs
Updates
-
Spring Boot 3.5 just shipped its final patch: 3.5.16. That's the end of the line. No more upstream security fixes — and there's no 3.6. The next stop is 4.0. Not a version bump. A full platform migration. Your choices: → Migrate to 4.0 now, under deadline pressure → Keep 3.5 secure while you plan it properly HeroDevs NES for Spring is the second — drop-in patches, no code changes, full compliance. On your timeline, not the calendar's. 🗓️ #SpringBoot #Java #EOL #ApplicationSecurity #DevSecOps
-
New high-severity XSS just hit AngularJS. The framework's been dead since 2021 — no patch is coming. 🪦 Your scanners won't flag it. There's no fix to point to, so the risk just sits there: stolen sessions, hijacked accounts, data walking out the door. If AngularJS is still in production, it's a problem now — whether you've noticed or not. #AngularJS #XSS #CyberSecurity #AppSec #WebSecurity #VulnerabilityManagement #EndOfLife #CVE
-
Nearly 5 years after AngularJS went end-of-life, we just found another High-severity CVE in it. 🚨 Not “saw it land in a feed.” Found it. George Kalpakas, Software Engineer at HeroDevs, discovered CVE-2026-11998 and we shipped the patch. That’s not luck. It’s what happens when the people maintaining your security coverage are the ones still actively looking at a framework everyone else walked away from. #AngularJS #AppSec #CVE #OpenSource #SoftwareSupplyChain
-
-
HeroDevs is proud to announce that we've joined the Commonhaus Foundation as the founding member of the Open Source Sustainability Initiative. What this means: continued commercial support for older versions of Hibernate, Jackson, and Quarkus — so the enterprises that depend on them get time to upgrade safely instead of scrambling after the next disclosure. Great conversations between our COO Rob Nalen and Mike Vizard on why this matters now. Worth a watch. 🎧
It was a pleasure speaking with Michael Vizard about the HeroDevs and Commonhaus Foundation partnership. https://lnkd.in/eSvahw7e
-
Punta Cana, 2026. 🌴 Offsites remind us that the mission is bigger than any one ticket, patch, or release. It's people — building something we genuinely believe in, together. Thanks to every Hero who made the 2026 offsite unforgettable. 🦸 #HeroDevs #TeamOffsite #PuntaCana #CompanyCulture
-
Spring published 67 CVEs in June 2026 — 27 High severity. All of 2025 saw 17. The bigger risk isn't the count. When a version leaves commercial support, new flaws stop being evaluated against it — so your scanner reports you clean while the vulnerable code still ships. June alone hid 21+ of these "silent" CVEs per Spring Boot line. HeroDevs is the trusted source for Never-Ending Support, evaluating every new advisory against the exact version you run. #Spring #SpringBoot #Java #AppSec #EOL
-
There's a real difference between a runbook your team wrote and a runbook your team has actually run. Worth a read if your team has a recovery plan it's never actually executed under pressure. Most do.
Check out my latest blog post on a recent disaster recovery exercise we ran at HeroDevs! If your team isn't running gamedays, I'd highly recommend it. Here are just 3 benefits of exercising your incident response muscles: * Put your otherwise untested runbooks and disaster recovery guides to the test * Uncover hidden dependencies, stale documentation, and opportunities for improvement * Establish a common language and be better prepared for when a real incident shows up
-
Angular used to be the quiet corner of JavaScript. Not anymore. 🤫 21 CVE advisories in 2026 — 15 in a single two-week window. Most hit end-of-life versions (v4–v19) that will never get an upstream patch. For supported Angular, a patch ships and the window closes. For EOL, the disclosures keep coming and the fixes never do. HeroDevs closes that gap. NES for Angular delivers ongoing CVE fixes for the exact versions the Angular team no longer patches. #Angular #OpenSource #AppSec #EOL
-