CVE-2026-10696
Received Received - Intake
Incorrect Name Resolution in Devolutions UniGetUI

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Devolutions Inc.

Description
Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-10696
EUVD
EUVD-2026-37781
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devolutions unigetui 2026.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the pinget backend of Devolutions UniGetUI version 2026.2.0 and earlier. It involves the use of an incorrectly resolved name or reference, which allows a WinGet community catalog contributor to manipulate the system. Specifically, an attacker can cause an installed application to be mistakenly linked to an unrelated, attacker-controlled catalog package. When a user applies a proposed update, this crafted catalog package can execute an attacker-controlled installer because the normalized name of the malicious package is contained as a substring within the installed application's name.

Impact Analysis

The impact of this vulnerability is that an attacker can execute arbitrary code on the affected system without requiring user interaction or privileges. This is achieved by tricking the system into running an attacker-controlled installer during an update process. Although the confidentiality and integrity of the system are not directly affected, the availability can be severely impacted due to potential malicious actions performed by the attacker-controlled installer.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10696. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart