Untrusted search path in Unity Editor - CVE-2025-59489
Published: October 10, 2025 / Updated: October 24, 2025
Vulnerability identifier: #VU116896
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2025-59489
CWE-ID: CWE-426
Exploitation vector: Local access
Exploit availability:
Public exploit is available
Vendor: Unity Technologies
Affected software:
Unity Editor
Unity Editor
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to usage of an untrusted search path. A local user can place a malicious binary into a specific location on the system and execute arbitrary code with escalated privileges.
Note, the vulnerability is described in the Unity Editor application although it directly affects all apps build it Unity Editor.
How to mitigate CVE-2025-59489
It is recommended to rebuild all applications built with Unity Editor after installing the latest version of the editor.