Methods, apparatus, and processor-readable storage media for prioritizing patching of vulnerable components are provided herein. An example computer-implemented method includes obtaining information indicative of a first set of components embedded in a software package; determining risk levels for respective ones of the components in the first set based on a data flow representation of the software package; and assigning a priority for patching a software vulnerability in a given component of the first set based at least in part on the risk level of the given component.