Vulnerability Details CVE-2026-10696
Use of an incorrectly resolved name or reference in the pinget backend
in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community
catalog contributor to cause an installed application to be correlated
to an unrelated, attacker-controlled catalog package and to execute an
attacker-controlled installer via a crafted catalog package whose
normalized name is contained as a substring within the installed
application name when a user applies the proposed update.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 18.2%
CVSS Severity
CVSS v3 Score 7.5