CVE Catalog

CVE-2026-10696

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

The use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to correlate an installed application with an unrelated, attacker-controlled catalog package.

Risk Assessment

An attacker can install malicious software by manipulating catalog packages, posing a serious threat to user system security.

Recommendation

It is recommended to update to the latest version of Devolutions UniGetUI and to monitor and verify package sources before applying them.

Original NVD description (English source)

Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS