winget packages with open CVEs

2,250 mapped packages currently have at least one open vulnerability. Ranked by critical CVEs published in the last 30 days, then total open CVEs, then install popularity. Updated 6/20/2026, 6:33:41 PM.

Microsoft .NET Runtime 5.0
Microsoft Corporation · v5.0.17
83
open
cURL
curl · v8.20.0.5
81
open
MongoDB Shell
MongoDB Inc. · v2.8.3
77
open
MongoDB CLI
MongoDB, Inc. · v2.0.7
77
open
PHP 8.4
PHP Group · v8.4.22
76
open
PHP 8.1
PHP Group · v8.1.34
76
open
PHP 8.5
PHP Group · v8.5.7
76
open
PHP 8.5 - Non-thread safe
PHP Group · v8.5.7
76
open
PHP 8.1 - Non-thread safe
PHP Group · v8.1.34
76
open
PHP 8.4 - Non-thread safe
PHP Group · v8.4.22
76
open
PHP 8.3
PHP Group · v8.3.31
76
open
PHP 8.2 - Non-thread safe
PHP Group · v8.2.31
76
open
GrafanaOSS
Grafana Labs · v13.0.2
76
open
PHP 8.3 - Non-thread safe
PHP Group · v8.3.31
76
open
PHP 8.2
PHP Group · v8.2.31
76
open
Node.js (LTS)
Node.js Foundation · v24.17.0
75
open
Hanword HWP document converter for Microsoft Word
Microsoft Corporation · v15.0.4454.1506
75
open
Node.js 22
Node.js Foundation · v22.23.0
75
open
Node.js 20
Node.js Foundation · v20.20.2
75
open
Node.js
Node.js Foundation · v26.3.1
75
open
Node.js 8
Node.js Foundation · v8.11.3
75
open
Node.js 10
Node.js Foundation · v10.24.1
75
open
Node.js 14
Node.js Foundation · v14.21.3
75
open
Node.js 19
Node.js Foundation · v19.9.0
75
open