winget packages with open CVEs

2,250 mapped packages currently have at least one open vulnerability. Ranked by critical CVEs published in the last 30 days, then total open CVEs, then install popularity. Updated 5/4/2026, 6:36:27 PM.

NVIDIA DisplayID Firmware Updater
NVIDIA Corporation · v1.1.0
68
open
PHP 8.4
PHP Group · v8.4.20
66
open
PHP 8.5
PHP Group · v8.5.5
66
open
PHP 8.1
PHP Group · v8.1.34
66
open
PHP 8.3 - Non-thread safe
PHP Group · v8.3.30
66
open
PHP 8.2 - Non-thread safe
PHP Group · v8.2.30
66
open
PHP 8.4 - Non-thread safe
PHP Group · v8.4.19
66
open
PHP 8.3
PHP Group · v8.3.30
66
open
PHP 8.2
PHP Group · v8.2.30
66
open
PHP 8.1 - Non-thread safe
PHP Group · v8.1.34
66
open
PHP 8.5 - Non-thread safe
PHP Group · v8.5.5
66
open
QNAP Qsync Client
QNAP Systems, Inc. · v6.0.1.0410
62
open
Hanword HWP document converter for Microsoft Word
Microsoft Corporation · v15.0.4454.1506
62
open
MongoDB Shell
MongoDB Inc. · v2.8.2
61
open
MongoDB CLI
MongoDB, Inc. · v2.0.7
61
open
UniversalForwarder
Splunk, Inc. · v10.2.3
59
open
Liberica NIK 22 Full (JDK 11)
BellSoft · v22.3.5
58
open
Liberica NIK 23 Full (JDK 17)
BellSoft · v23.0.5
58
open
Liberica NIK 23 (JDK 17)
BellSoft · v23.0.5
58
open
Liberica NIK Core 23 (JDK 21)
BellSoft · v23.1.4
58
open
Suricata IDS/IPS
Open Information Security Foundation · v7.0.10
57
open
Octopus Deploy Server
Octopus Deploy Pty. Ltd. · v2025.3.14327
55
open
Couchbase Server
Couchbase Inc. · v7.0.6703
55
open
Couchbase Server Enterprise Edition
Couchbase Inc. · v7.0.7031
55
open