{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-10696/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-17T19:39:32.170Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-10696","@id":"https://www.cve.org/CVERecord?id=CVE-2026-10696","description":"Use of an incorrectly resolved name or reference in the pinget backend \nin Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community \ncatalog contributor to cause an installed application to be correlated \nto an unrelated, attacker-controlled catalog package and to execute an \nattacker-controlled installer via a crafted catalog package whose \nnormalized name is contained as a substring within the installed \napplication name when a user applies the proposed update."},"products":[{"@id":"cpe:2.3:a:devolutions:unigetui:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:devolutions:unigetui:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-17T19:39:32.170Z"}]}