CVE-2026-25918

Description

The sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the `--verbose` flag is used. Command-line arguments including `--email` and `--password` are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. Users who run sign-package with `--verbose` and credential arguments expose their Unity account passwords. This affects all versions prior to 1.8.2. The vulnerability requires explicit user action (using `--verbose`) but creates significant risk in automated and shared environments. Workaround: Use environment variables (`UNITY_USERNAME`, `UNITY_PASSWORD`) instead of command-line arguments, and avoid the `--verbose` flag when working with credentials. Existing RageAgainstThePixel and Buildalon GitHub actions are unaffected as they use the environment variables exclusively.

How to fix CVE-2026-25918

To remediate CVE-2026-25918, upgrade the affected package to a fixed version below.

• —upgrade to 1.8.2 or later

Is CVE-2026-25918 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.8.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-25918
• PATCHgithub.com/RageAgainstThePixel/unity-cli
• WEBgithub.com/RageAgainstThePixel/unity-cli/commit/8d4d67b23d7c5fd8f00df3f0f10bec2961c95342
• WEBgithub.com/RageAgainstThePixel/unity-cli/releases/tag/v1.8.2