Skip to main content

Unity Cli CVE-2026-25918

MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-02-09 security-advisories@github.com GHSA-4255-c27h-62m5
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 28, 2026 - 00:16 nvd
Patch available
CVE Published
Feb 09, 2026 - 22:16 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2.

AnalysisAI

Unity-Cli versions up to 1.8.2 is affected by insertion of sensitive information into log file (CVSS 5.5).

Technical ContextAI

This vulnerability (CWE-532: Insertion of Sensitive Information into Log File) affects Unity-Cli. unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 1.8.2..

Share

CVE-2026-25918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy