Base weakness

Incomplete

CWE-1104: Use of Unmaintained Third Party Components

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

Last updated May 1, 2026

14

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-1104 (Use of Unmaintained Third Party Components) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

14 recorded CVEs are caused by CWE-1104 (Use of Unmaintained Third Party Components). The highest-severity and most recent are shown first. 3 new CWE-1104 CVEs have been recorded so far in 2026 (6 in 2025).

2026-04-22

CVE-2025-34192

Vasion Print (formerly PrinterLogic) Usage of Outdated and Unsupported OpenSSL Version

Critical · CVSS 9.3 · EPSS 73th

2025-09-19

CVE-2024-11999

High · CVSS 8.8 · EPSS 58th

2024-12-17

CVE-2022-46871

High · CVSS 8.8 · EPSS 74th

2022-12-22

CVE-2025-3497

Radiflow iSAP Smart Collector Linux distribution unmaintained

High · CVSS 8.7 · EPSS 64th

2025-07-09

CVE-2025-20010

High · CVSS 8.5 · EPSS 16th

2025-11-11

CVE-2026-21821

HCL BigFix SCM Reporting is affected by vulnerabilities in jQuery

High · CVSS 8.3 · EPSS 15th

2026-05-13

CVE-2024-35252

Azure Storage Movement Client Library Denial of Service Vulnerability

High · CVSS 7.5 · EPSS 90th

2024-06-11

CVE-2021-22142

Medium · CVSS 6.6 · EPSS 67th

2023-11-22

CVE-2025-52658

HCL MyXalytics is affected by the use of vulnerable/outdated versions

Low · CVSS 3.5 · EPSS 26th

2025-10-03

Showing 12 of 14 recorded CWE-1104 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-1104 vulnerabilities

Common consequences

What can happen when CWE-1104 is exploited.

Reduce Maintainability, Varies by Context

Affects: Other

Relying on unmaintained components makes it difficult or impossible to fix significant bugs and vulnerabilities, can render code obsolete, and undermine security by complicating maintenance and increasing the risk of new vulnerabilities.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Applies to

Technologies

ICS/OT

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2025-40906 — Perl module for BSON serialization includes a component that reached end-of-life approximately five years previously, but has multiple vulnerabilities.
CVE-2024-35252 — Closed-source cloud storage product includes an unmaintained third-party component that allows denial of service

Frequently asked questions

Common questions about CWE-1104.

What is CWE-1104?

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

What CVEs are caused by CWE-1104?

14 recorded CVEs are attributed to CWE-1104, including CVE-2025-12104, CVE-2025-10220, CVE-2026-41468.

How is CWE-1104 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-1104?

Exploiting CWE-1104 can lead to: Reduce Maintainability, Varies by Context.

Is CWE-1104 actively exploited?

14 recorded CVEs are caused by CWE-1104; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-1104

Get alerted the moment a new CWE-1104 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing