MEDIUMCVE-2026-3990CVSS 4.3

CVE-2026-3990: XSS in CesiumJS ≤1.137

Platform

javascript

Component

cesium

Fixed in

1.137.1

AI Confidence: mediumNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

A cross-site scripting (XSS) vulnerability exists in CesiumJS versions up to 1.137.0, specifically within the Apps/Sandcastle/standalone.html functionality. This flaw allows an attacker to manipulate the 'c' argument, potentially leading to the execution of malicious scripts within a user's browser. While the precise impact remains uncertain, the availability of a public exploit highlights the potential for immediate exploitation.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-3990 allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can lead to a wide range of malicious activities, including session hijacking, credential theft, and defacement of the CesiumJS application. Given the public availability of an exploit, attackers can readily leverage this vulnerability to compromise systems and steal sensitive information. The attack vector is remote, meaning an attacker does not need to be authenticated to exploit the vulnerability.

Exploitation Context

CVE-2026-3990 is linked to CVE-2023-48094, indicating a history of unresponsiveness from the vendor. A public proof-of-concept exploit is available, significantly increasing the risk of exploitation. The vulnerability was publicly disclosed on 2026-03-12. The EPSS score is likely Medium, given the public exploit and lack of vendor response.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.03% (9% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentcesium

VendorCesiumGS

Affected rangeFixed in

1.137 – 1.1371.137.1

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2026-03-11
Published2026-03-12
EPSS updated2026-03-23

Unpatched — 73 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-3990 is to upgrade to a patched version of CesiumJS. As of this writing, no patched version has been released. Until a fix is available, consider implementing input validation and sanitization on the 'c' argument within Apps/Sandcastle/standalone.html to prevent malicious code injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Carefully review and audit any third-party libraries or components integrated with CesiumJS to identify potential vulnerabilities.

How to fix

Update CesiumJS to a version later than 1.137.0. If updating is not possible, review and filter the inputs of the 'c' argument in the file Apps/Sandcastle/standalone.html to prevent the execution of unwanted code.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-3990 — XSS in CesiumJS ≤1.137?

CVE-2026-3990 is a cross-site scripting vulnerability in CesiumJS versions up to 1.137.0, allowing attackers to inject malicious scripts via the 'c' parameter in Apps/Sandcastle/standalone.html.

Am I affected by CVE-2026-3990 in CesiumJS ≤1.137?

If you are using CesiumJS version 1.137 or earlier, you are potentially affected by this vulnerability. Assess your usage of Apps/Sandcastle/standalone.html.

How do I fix CVE-2026-3990 in CesiumJS ≤1.137?

Upgrade to a patched version of CesiumJS. As of this writing, no patched version is available. Implement input validation and sanitization as a temporary workaround.

Is CVE-2026-3990 being actively exploited?

Yes, a public proof-of-concept exploit exists, indicating a high likelihood of active exploitation.

Where can I find the official CesiumJS advisory for CVE-2026-3990?

The vendor has not released an official advisory. Refer to the CVE details and related security reports for more information.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.