Java present on a system but not installed. Is this a cybersecurity issue?

ive currently got a java application which has several components such as mysql. these components are heavily outdated. these components are all present on the D;/ disk but are not installed on the C;/ disk (as in, can't uninstall them via the control panel).

does this form a risk? even though java isnt installed, it is present on the system. can vulnerabilities be exploited this way?

i've scanned the system with nessus, but can't find any "vulnerabilities" because the components are not installed. but i'm certain there are some vulnerabilities available in the version of java i have on my system. any nessus alternatives?

if anyone has more sources about this i can read about please share them.