Plataforma
javascript
Componente
cesium
Corrigido em
1.137.1
A cross-site scripting (XSS) vulnerability exists in CesiumJS versions up to 1.137.0, specifically within the Apps/Sandcastle/standalone.html functionality. This flaw allows an attacker to manipulate the 'c' argument, potentially leading to the execution of malicious scripts within a user's browser. While the precise impact remains uncertain, the availability of a public exploit highlights the potential for immediate exploitation.
Successful exploitation of CVE-2026-3990 allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can lead to a wide range of malicious activities, including session hijacking, credential theft, and defacement of the CesiumJS application. Given the public availability of an exploit, attackers can readily leverage this vulnerability to compromise systems and steal sensitive information. The attack vector is remote, meaning an attacker does not need to be authenticated to exploit the vulnerability.
CVE-2026-3990 is linked to CVE-2023-48094, indicating a history of unresponsiveness from the vendor. A public proof-of-concept exploit is available, significantly increasing the risk of exploitation. The vulnerability was publicly disclosed on 2026-03-12. The EPSS score is likely Medium, given the public exploit and lack of vendor response.
Organizations and individuals utilizing CesiumJS versions 1.137 and earlier, particularly those deploying CesiumJS applications in environments where user input is processed without proper sanitization, are at significant risk. Shared hosting environments where multiple users share the same CesiumJS installation are also vulnerable.
• javascript / cesiumjs: Inspect network requests to Apps/Sandcastle/standalone.html for unusual JavaScript payloads in the 'c' parameter. • generic web: Examine browser developer console for XSS error messages or unexpected script execution. • generic web: Review access logs for suspicious requests targeting Apps/Sandcastle/standalone.html with unusual query parameters.
disclosure
poc
Status do Exploit
EPSS
0.03% (percentil 9%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-3990 is to upgrade to a patched version of CesiumJS. As of this writing, no patched version has been released. Until a fix is available, consider implementing input validation and sanitization on the 'c' argument within Apps/Sandcastle/standalone.html to prevent malicious code injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Carefully review and audit any third-party libraries or components integrated with CesiumJS to identify potential vulnerabilities.
Atualize CesiumJS para uma versão posterior a 1.137.0. Se não for possível atualizar, revise e filtre as entradas do argumento 'c' no arquivo Apps/Sandcastle/standalone.html para evitar a execução de código não desejado.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-3990 is a cross-site scripting vulnerability in CesiumJS versions up to 1.137.0, allowing attackers to inject malicious scripts via the 'c' parameter in Apps/Sandcastle/standalone.html.
If you are using CesiumJS version 1.137 or earlier, you are potentially affected by this vulnerability. Assess your usage of Apps/Sandcastle/standalone.html.
Upgrade to a patched version of CesiumJS. As of this writing, no patched version is available. Implement input validation and sanitization as a temporary workaround.
Yes, a public proof-of-concept exploit exists, indicating a high likelihood of active exploitation.
The vendor has not released an official advisory. Refer to the CVE details and related security reports for more information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.