{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25918", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T16:22:17.784Z", "datePublished": "2026-02-09T21:29:55.970Z", "dateUpdated": "2026-02-10T15:57:40.799Z"}, "containers": {"cna": {"title": "unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command)", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/RageAgainstThePixel/unity-cli/security/advisories/GHSA-4255-c27h-62m5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/RageAgainstThePixel/unity-cli/security/advisories/GHSA-4255-c27h-62m5"}, {"name": "https://github.com/RageAgainstThePixel/unity-cli/commit/8d4d67b23d7c5fd8f00df3f0f10bec2961c95342", "tags": ["x_refsource_MISC"], "url": "https://github.com/RageAgainstThePixel/unity-cli/commit/8d4d67b23d7c5fd8f00df3f0f10bec2961c95342"}, {"name": "https://github.com/RageAgainstThePixel/unity-cli/releases/tag/v1.8.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/RageAgainstThePixel/unity-cli/releases/tag/v1.8.2"}], "affected": [{"vendor": "RageAgainstThePixel", "product": "unity-cli", "versions": [{"version": "< 1.8.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T21:29:55.970Z"}, "descriptions": [{"lang": "en", "value": "unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2."}], "source": {"advisory": "GHSA-4255-c27h-62m5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:30:06.945196Z", "id": "CVE-2026-25918", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:57:40.799Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25918", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T16:22:17.784Z", "datePublished": "2026-02-09T21:29:55.970Z", "dateUpdated": "2026-02-10T15:57:40.799Z"}, "containers": {"cna": {"title": "unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command)", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/RageAgainstThePixel/unity-cli/security/advisories/GHSA-4255-c27h-62m5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/RageAgainstThePixel/unity-cli/security/advisories/GHSA-4255-c27h-62m5"}, {"name": "https://github.com/RageAgainstThePixel/unity-cli/commit/8d4d67b23d7c5fd8f00df3f0f10bec2961c95342", "tags": ["x_refsource_MISC"], "url": "https://github.com/RageAgainstThePixel/unity-cli/commit/8d4d67b23d7c5fd8f00df3f0f10bec2961c95342"}, {"name": "https://github.com/RageAgainstThePixel/unity-cli/releases/tag/v1.8.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/RageAgainstThePixel/unity-cli/releases/tag/v1.8.2"}], "affected": [{"vendor": "RageAgainstThePixel", "product": "unity-cli", "versions": [{"version": "< 1.8.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T21:29:55.970Z"}, "descriptions": [{"lang": "en", "value": "unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2."}], "source": {"advisory": "GHSA-4255-c27h-62m5", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25918", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:30:06.945196Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:30:07.721Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rageagainstthepixel:unity-cli:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C61C418A-2DB7-49E7-BDA6-B6DD4768C0CD", "versionEndExcluding": "1.8.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2."}, {"lang": "es", "value": "unity-cli es una utilidad de l\u00ednea de comandos para el motor de juego Unity. Antes de 1.8.2, el comando sign-package en @rage-against-the-pixel/unity-cli registra credenciales sensibles en texto plano cuando se utiliza la bandera --verbose. Los argumentos de l\u00ednea de comandos, incluyendo --email y --password, se emiten a trav\u00e9s de JSON.stringify sin sanitizaci\u00f3n, exponiendo secretos al historial de la shell, a los registros de CI/CD y a los sistemas de agregaci\u00f3n de registros. Esta vulnerabilidad est\u00e1 corregida en 1.8.2."}], "id": "CVE-2026-25918", "lastModified": "2026-02-28T00:16:27.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T22:16:04.177", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/RageAgainstThePixel/unity-cli/commit/8d4d67b23d7c5fd8f00df3f0f10bec2961c95342"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/RageAgainstThePixel/unity-cli/releases/tag/v1.8.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/RageAgainstThePixel/unity-cli/security/advisories/GHSA-4255-c27h-62m5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.2)"}}], "product": "unity-cli", "vendor": "rageagainstthepixel"}], "analysis": {"en": {"generated_at": "2026-04-17T21:07:32.851039+00:00", "value": {"mitigation_remediation": ["Upgrade unity-cli to version 1.8.2 or later", "Do not use the --verbose flag when supplying credentials to the sign\u2011package command", "Review and sanitize CI/CD logs and other log aggregators to remove embedded credentials"], "summary": {"action": "Patch", "impact": "Sensitive credential leakage in logs"}, "threat_synthesis": {"affected_systems": "The affected vendor is RageAgainstThePixel, product unity\u2011cli. The vulnerability exists in all releases prior to 1.8.2. Version 1.8.2 and later contain the fix. Users running older versions that invoke sign\u2011package with the --verbose flag are affected.", "description_and_impact": "unity-cli is a command\u2011line tool that signs Unity packages. A bug in the sign\u2011package command causes verbose logs to contain plaintext credentials provided via --email and --password. These log entries are written without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. The resulting vulnerability permits disclosure of user credentials.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the near term. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector requires the attacker to trigger the sign\u2011package command with verbose logging or to obtain access to the resulting log files. If a compromised CI/CD pipeline or local environment can run the command, credentials could be captured easily, leading to potential account compromise."}}}}, "created": "2026-02-10T11:35:01.112148+00:00", "updated": "2026-04-17T21:15:27.381508+00:00", "vendors": ["rageagainstthepixel", "rageagainstthepixel$PRODUCT$unity-cli"]}