Unity Cli
CVE-2026-25918
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2.
AnalysisAI
Unity-Cli versions up to 1.8.2 is affected by insertion of sensitive information into log file (CVSS 5.5).
Technical ContextAI
This vulnerability (CWE-532: Insertion of Sensitive Information into Log File) affects Unity-Cli. unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 1.8.2..
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4255-c27h-62m5