CVE-2026-25918

Summary

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the –verbose flag is used. Command-line arguments including –email and –password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2.

Affected Software

VendorProductVersion RangeStatus
RageAgainstThePixelunity-cli< 1.8.2affected

Weaknesses

  • CWE-532: CWE-532: Insertion of Sensitive Information into Log File

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References