PatchSiren cyber security CVE debrief
CVE-2026-10696 Devolutions CVE debrief
A vulnerability in Devolutions UniGetUI allows a WinGet community catalog contributor to execute an attacker-controlled installer via a crafted catalog package. This occurs because the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier incorrectly resolves names or references, allowing a WinGet community catalog contributor to correlate an installed application with an unrelated, attacker-controlled catalog package. Users of Devolutions UniGetUI 2026.2.0 and earlier should apply the proposed update to prevent exploitation.
- Vendor
- Devolutions
- Product
- UniGetUI
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-24
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-24
Who should care
Users of Devolutions UniGetUI 2026.2.0 and earlier should apply the proposed update to prevent exploitation. Additionally, operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability and take necessary actions to protect their environments.
Technical summary
The pinget backend in Devolutions UniGetUI 2026.2.0 and earlier incorrectly resolves names or references, allowing a WinGet community catalog contributor to correlate an installed application with an unrelated, attacker-controlled catalog package and execute an attacker-controlled installer. This vulnerability can be mitigated by applying the proposed update to Devolutions UniGetUI and verifying the authenticity of catalog packages before installation.
Defensive priority
High
Recommended defensive actions
- Apply the proposed update to Devolutions UniGetUI
- Verify the authenticity of catalog packages before installation
- Monitor for suspicious activity in UniGetUI
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-06-17T20:16:47.670Z and last modified on 2026-06-24T19:03:13.193Z. The NVD entry is currently Analyzed. The evidence provided is limited, and further verification is needed to confirm the affected scope and severity. Defenders should verify the authenticity of catalog packages and monitor for suspicious activity in UniGetUI.
Official resources
-
CVE-2026-10696 CVE record
CVE.org
-
CVE-2026-10696 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T20:16:47.670Z and has not been modified since then. The NVD entry is currently Analyzed.