Stephen Hodgson

**Name of the Vulnerable Software and Affected Versions** unity-cli versions prior to 1.8.2 **Description** The `sign-package` command in unity-cli logs sensitive credentials in plaintext when the `--verbose` flag is used. Command-line arguments, including `--email` and `--password`, are output via `JSON.stringify` without sanitization, potentially exposing secrets to shell history, CI/CD logs, and log aggregation systems. The vulnerable parameters are `email` and `password`. **Recommendations** Update to version 1.8.2 or later.