CVE-2026-25918

MEDIUM

Rage-against-the-pixel Unity-cli < 1.8.2 - Log Information Exposure

Title source: rule

Description

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2.

References (3)

[Vendor Advisory] https://github.com/RageAgainstThePixel/unity-cli/security/advisories/GHSA-4255-c27h-62m5

[Patch] https://github.com/RageAgainstThePixel/unity-cli/commit/8d4d67b23d7c5fd8f00df3f0f10bec2961c95342

View Patch ZIP pw:eip

[Release Notes] https://github.com/RageAgainstThePixel/unity-cli/releases/tag/v1.8.2

Scores

CVSS v3 5.5

EPSS 0.0002

EPSS Percentile 4.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (2)

rage-against-the-pixel/unity-cli 0 - 1.8.2npm

rageagainstthepixel/unity-cli < 1.8.2

Published Feb 09, 2026

Tracked Since Feb 18, 2026