CVE-2026-3990

A reflected cross-site scripting (XSS) vulnerability exists in CesiumGS CesiumJS up to version 1.137.0. The issue resides in the file Apps/Sandcastle/standalone.html, where user-supplied data from the URL hash parameter #c= is processed through a three-step decoding pipeline (base64 decoding, DEFLATE decompression, and JSON parsing). The extracted properties (code, html, and baseHref) are then inserted directly into the DOM using innerHTML without sanitization, allowing injection of arbitrary HTML and JavaScript [1].

An attacker can exploit this vulnerability by crafting a malicious URL containing a specially encoded payload. When a victim clicks the link or loads the page, the payload is decoded and executed in the victim's browser. No authentication or user interaction beyond loading the URL is required. The attack vector is network-based and reflected, meaning the payload is part of the URL and not stored on the server [1].

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to data theft (e.g., cookies, session tokens), unauthorized actions on behalf of the victim, and other client-side attacks. The vendor's position, as noted in [1] and referenced from CVE-2023-48094, is that Apps/Sandcastle/standalone.html is demo code and not part of the CesiumJS JavaScript library product. As of the publication date, no official patch has been provided; users are advised to avoid using the Sandcastle standalone viewer in production environments or to apply input validation and output encoding if deployment is necessary.