CVE-2026-10696
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
The use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to correlate an installed application with an unrelated, attacker-controlled catalog package.
Risk Assessment
An attacker can install malicious software by manipulating catalog packages, posing a serious threat to user system security.
Recommendation
It is recommended to update to the latest version of Devolutions UniGetUI and to monitor and verify package sources before applying them.
Original NVD description (English source)
Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.

