Security & compliance
Upholding the highest standards to protect your data and ensure trust.
DEVO-2026-0019
UniGetUI is affected by an incorrect package correlation vulnerability.
Affected Products
Change Log
Initial publication - 2026-06-17
Incorrect package correlation in the pinget backend can install an unrelated package
7.2 High - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H
Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.
CVE(s)
CVE-2026-10696
Remediation and Workarounds
Upgrade to Devolutions UniGetUI 2026.2.1 or higher