CVE-2026-10696 - Vulnerability Details - OpenCVE

Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00268.

Exploitation none

Automatable yes

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://devolutions.net/security/advisories/DEVO-2026-0019

History

Thu, 18 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.
Weaknesses		CWE-706
References		https://devolutions.net/security/advisories/DEVO-2026-0019
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published: 2026-06-17T18:43:29.276Z

Updated: 2026-06-17T19:39:32.170Z

Reserved: 2026-06-02T16:11:22.453Z

Link: CVE-2026-10696

Vulnrichment

Updated: 2026-06-17T19:39:24.902Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-10696", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-06-02T16:11:22.453Z", "datePublished": "2026-06-17T18:43:29.276Z", "dateUpdated": "2026-06-17T19:39:32.170Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-06-17T18:43:29.276Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-706", "description": "CWE-706", "type": "CWE"}]}], "affected": [{"vendor": "Devolutions", "product": "UniGetUI", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "2026.2.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Use of an incorrectly resolved name or reference in the pinget backend \nin Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community \ncatalog contributor to cause an installed application to be correlated \nto an unrelated, attacker-controlled catalog package and to execute an \nattacker-controlled installer via a crafted catalog package whose \nnormalized name is contained as a substring within the installed \napplication name when a user applies the proposed update.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Use of an incorrectly resolved name or reference in the pinget backend \nin Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community \ncatalog contributor to cause an installed application to be correlated \nto an unrelated, attacker-controlled catalog package and to execute an \nattacker-controlled installer via a crafted catalog package whose \nnormalized name is contained as a substring within the installed \napplication name when a user applies the proposed update."}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0019"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-17T19:38:53.962259Z", "id": "CVE-2026-10696", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T19:39:32.170Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-10696", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-17T19:38:53.962259Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T19:39:24.902Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "UniGetUI", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2026.2.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0019"}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "Use of an incorrectly resolved name or reference in the pinget backend \nin Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community \ncatalog contributor to cause an installed application to be correlated \nto an unrelated, attacker-controlled catalog package and to execute an \nattacker-controlled installer via a crafted catalog package whose \nnormalized name is contained as a substring within the installed \napplication name when a user applies the proposed update.", "supportingMedia": [{"type": "text/html", "value": "Use of an incorrectly resolved name or reference in the pinget backend \nin Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community \ncatalog contributor to cause an installed application to be correlated \nto an unrelated, attacker-controlled catalog package and to execute an \nattacker-controlled installer via a crafted catalog package whose \nnormalized name is contained as a substring within the installed \napplication name when a user applies the proposed update.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-706", "description": "CWE-706"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-06-17T18:43:29.276Z"}}}, "cveMetadata": {"cveId": "CVE-2026-10696", "state": "PUBLISHED", "dateUpdated": "2026-06-17T19:39:32.170Z", "dateReserved": "2026-06-02T16:11:22.453Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-06-17T18:43:29.276Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}