CVE-2026-10696

Name of the Vulnerable Software and Affected Versions Devolutions UniGetUI versions prior to 2026.2.1

Description The pinget backend contains an issue where names or references are incorrectly resolved. This allows a WinGet community catalog contributor to correlate an installed application with an unrelated, attacker-controlled catalog package. If a user applies a proposed update, an attacker-controlled installer can be executed via a crafted catalog package whose normalized name is a substring of the installed application name.

Recommendations Update to a version later than 2026.2.0.