CVE-2026-25918

CVSS v4.0

5.9

Medium

Vector

AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions unity-cli versions prior to 1.8.2

Description The sign-package command in unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments, including --email and --password, are output via JSON.stringify without sanitization, potentially exposing secrets to shell history, CI/CD logs, and log aggregation systems. The vulnerable parameters are email and password.

Recommendations Update to version 1.8.2 or later.

Exploit

Fix

CSRF

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352CWE-532

Related Identifiers

CVE-2026-25918

GHSA-4255-C27H-62M5

Affected Products

Unity-Cli

CVE-2026-25918

Weakness Enumeration

Related Identifiers

Affected Products

References · 16