CVE-2026-25918 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
The sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems.
Users who run sign-package with --verbose and credential arguments expose their Unity account passwords. This affects all versions prior to 1.8.2. The vulnerability requires explicit user action (using --verbose) but creates significant risk in automated and shared environments.
Workaround: Use environment variables (UNITY_USERNAME, UNITY_PASSWORD) instead of command-line arguments, and avoid the --verbose flag when working with credentials.
Existing RageAgainstThePixel and Buildalon GitHub actions are unaffected as they use the environment variables exclusively.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.