References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

{"timestamp":"2026-06-17T19:38:53.962259Z","id":"CVE-2026-10696","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

Use of an incorrectly resolved name or reference in the pinget backend 
in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community 
catalog contributor to cause an installed application to be correlated 
to an unrelated, attacker-controlled catalog package and to execute an 
attacker-controlled installer via a crafted catalog package whose 
normalized name is contained as a substring within the installed 
application name when a user applies the proposed update.

CWE-706

https://devolutions.net/security/advisories/DEVO-2026-0019

[{"vendor":"Devolutions","product":"UniGetUI","defaultStatus":"unaffected","versions":[{"version":"0","lessThanOrEqual":"2026.2.1","versionType":"custom","status":"affected"}]}]