CVE-2026-25918 – unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command)

CVE ID : CVE-2026-25918

Published : Feb. 9, 2026, 9:29 p.m. | 52 minutes ago

Description : unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the –verbose flag is used. Command-line arguments including –email and –password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…