CVE-2026-3990
Remote XSS in CesiumGS CesiumJS Apps/Sandcastle/standalone.html
Publication date: 2026-03-12
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cesiumgs | cesiumjs | to 1.137.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3990 is a reflected Cross-Site Scripting (XSS) vulnerability in the CesiumGS CesiumJS project, specifically affecting the Sandcastle standalone demo viewer (versions up to 1.137.0). The vulnerability arises from unsafe handling of user-supplied data passed via the URL hash parameter "#c=" in the standalone.html file. This parameter is decoded and parsed into three propertiesβcode, html, and baseHrefβwhich are then directly injected into the web page\'s DOM using innerHTML without any sanitization or encoding.'}, {'type': 'paragraph', 'content': 'An attacker can craft a malicious JSON payload containing JavaScript or HTML, compress and encode it, and append it to the URL. When a victim opens this URL, the malicious code executes in their browser context, enabling cross-site scripting attacks.'}, {'type': 'list_item', 'content': "Injection points include document.head.innerHTML via baseHref, a div element's innerHTML via html, and a script element's innerHTML via code."}, {'type': 'list_item', 'content': 'The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting).'}, {'type': 'paragraph', 'content': 'The vendor disputes the relevance of this vulnerability, stating that the affected file is demo code not part of the official CesiumJS product.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have several impacts if exploited:
- Confidentiality: Attackers can steal session cookies, authentication tokens, local/session storage data, personal information displayed in the DOM, and application state.
- Integrity: Attackers can modify application state, perform unauthorized actions, inject fake forms, alter displayed content, and manipulate configurations.
- Availability: There is a low potential for denial of service through resource exhaustion or redirecting users to malicious sites.
The attack can be launched remotely without authentication, requiring only that a victim accesses a crafted malicious URL.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by identifying attempts to access the vulnerable Sandcastle standalone demo viewer with specially crafted URLs containing the hash parameter '#c=' followed by a base64-encoded, DEFLATE-compressed, JSON payload. Monitoring web server logs or network traffic for such URL patterns can help detect exploitation attempts."}, {'type': 'paragraph', 'content': "Google dorking techniques targeting the vulnerable file path 'Apps/Sandcastle/standalone.html' can also be used to identify instances of the vulnerable component exposed on the internet."}, {'type': 'paragraph', 'content': "Suggested commands include searching web server logs or captured HTTP requests for the pattern '#c=' in URLs referencing 'standalone.html'. For example, using grep on logs:"}, {'type': 'list_item', 'content': "grep -i 'standalone.html#c=' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'standalone.html#c=' /var/log/nginx/access.log"}, {'type': 'paragraph', 'content': 'Additionally, network traffic capture tools like tcpdump or Wireshark can filter HTTP requests containing the vulnerable URL pattern.'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'standalone.html#c='"}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Apply output encoding by escaping all user-controlled data before inserting it into the DOM to prevent execution of malicious scripts.'}, {'type': 'list_item', 'content': 'Replace unsafe innerHTML assignments with safer DOM APIs such as textContent to avoid HTML interpretation.'}, {'type': 'list_item', 'content': 'Implement strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed.'}, {'type': 'list_item', 'content': 'Validate and restrict the format and content of the base64-encoded hash parameter to reject malformed or malicious inputs.'}, {'type': 'list_item', 'content': "Enforce allowlists on the 'baseHref' property to restrict it to expected safe paths."}, {'type': 'paragraph', 'content': "If possible, remove or disable the vulnerable demo file 'Apps/Sandcastle/standalone.html' from public access, as it is demo code and not part of the official CesiumJS product."}, {'type': 'paragraph', 'content': 'Regularly conduct security testing and code reviews on demo and documentation files to identify and remediate similar issues.'}] [1, 3]