CVE-2026-3990
Received Received - Intake
Remote XSS in CesiumGS CesiumJS Apps/Sandcastle/standalone.html

Publication date: 2026-03-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in CesiumGS CesiumJS up to 1.137.0. Affected by this issue is some unknown functionality of the file Apps/Sandcastle/standalone.html. The manipulation of the argument c results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The presence of this vulnerability remains uncertain at this time. The vendor was contacted early about this disclosure but did not respond in any way. According to CVE-2023-48094, "the vendor's position is that Apps/Sandcastle/standalone.html is part of the CesiumGS/cesium GitHub repository, but is demo code that is not part of the CesiumJS JavaScript library product."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3990
EUVD
EUVD-2026-11534
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cesiumgs cesiumjs to 1.137.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3990 is a reflected Cross-Site Scripting (XSS) vulnerability in the CesiumGS CesiumJS project, specifically affecting the Sandcastle standalone demo viewer (versions up to 1.137.0). The vulnerability arises from unsafe handling of user-supplied data passed via the URL hash parameter "#c=" in the standalone.html file. This parameter is decoded and parsed into three propertiesβ€”code, html, and baseHrefβ€”which are then directly injected into the web page\'s DOM using innerHTML without any sanitization or encoding.'}, {'type': 'paragraph', 'content': 'An attacker can craft a malicious JSON payload containing JavaScript or HTML, compress and encode it, and append it to the URL. When a victim opens this URL, the malicious code executes in their browser context, enabling cross-site scripting attacks.'}, {'type': 'list_item', 'content': "Injection points include document.head.innerHTML via baseHref, a div element's innerHTML via html, and a script element's innerHTML via code."}, {'type': 'list_item', 'content': 'The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting).'}, {'type': 'paragraph', 'content': 'The vendor disputes the relevance of this vulnerability, stating that the affected file is demo code not part of the official CesiumJS product.'}] [1, 2, 3]

Impact Analysis

This vulnerability can have several impacts if exploited:

  • Confidentiality: Attackers can steal session cookies, authentication tokens, local/session storage data, personal information displayed in the DOM, and application state.
  • Integrity: Attackers can modify application state, perform unauthorized actions, inject fake forms, alter displayed content, and manipulate configurations.
  • Availability: There is a low potential for denial of service through resource exhaustion or redirecting users to malicious sites.

The attack can be launched remotely without authentication, requiring only that a victim accesses a crafted malicious URL.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by identifying attempts to access the vulnerable Sandcastle standalone demo viewer with specially crafted URLs containing the hash parameter '#c=' followed by a base64-encoded, DEFLATE-compressed, JSON payload. Monitoring web server logs or network traffic for such URL patterns can help detect exploitation attempts."}, {'type': 'paragraph', 'content': "Google dorking techniques targeting the vulnerable file path 'Apps/Sandcastle/standalone.html' can also be used to identify instances of the vulnerable component exposed on the internet."}, {'type': 'paragraph', 'content': "Suggested commands include searching web server logs or captured HTTP requests for the pattern '#c=' in URLs referencing 'standalone.html'. For example, using grep on logs:"}, {'type': 'list_item', 'content': "grep -i 'standalone.html#c=' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'standalone.html#c=' /var/log/nginx/access.log"}, {'type': 'paragraph', 'content': 'Additionally, network traffic capture tools like tcpdump or Wireshark can filter HTTP requests containing the vulnerable URL pattern.'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'standalone.html#c='"}] [1, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Apply output encoding by escaping all user-controlled data before inserting it into the DOM to prevent execution of malicious scripts.'}, {'type': 'list_item', 'content': 'Replace unsafe innerHTML assignments with safer DOM APIs such as textContent to avoid HTML interpretation.'}, {'type': 'list_item', 'content': 'Implement strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed.'}, {'type': 'list_item', 'content': 'Validate and restrict the format and content of the base64-encoded hash parameter to reject malformed or malicious inputs.'}, {'type': 'list_item', 'content': "Enforce allowlists on the 'baseHref' property to restrict it to expected safe paths."}, {'type': 'paragraph', 'content': "If possible, remove or disable the vulnerable demo file 'Apps/Sandcastle/standalone.html' from public access, as it is demo code and not part of the official CesiumJS product."}, {'type': 'paragraph', 'content': 'Regularly conduct security testing and code reviews on demo and documentation files to identify and remediate similar issues.'}] [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3990. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart