CVE-2026-25918

MEDIUM

Rage-against-the-pixel Unity-cli < 1.8.2 - Log Information Exposure

Title source: rule

Description

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2.

References (3)

Scores

CVSS v3 5.5
EPSS 0.0001
EPSS Percentile 1.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE
CWE-532
Status published

Affected Products (2)

rage-against-the-pixel/unity-cli < 1.8.2npm
rageagainstthepixel/unity-cli < 1.8.2

Timeline

Published Feb 09, 2026
Tracked Since Feb 18, 2026