CVE-2026-10696
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.
| CWE | CWE-706 |
| Vendor | devolutions |
| Product | unigetui |
| Published | Jun 17, 2026 |
| Last Updated | Jun 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for devolutions unigetui
Be the first to know when new high vulnerabilities affecting devolutions unigetui are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Devolutions / UniGetUI
0 โค 2026.2.1