Description
A security flaw has been discovered in CesiumGS CesiumJS up to 1.137.0. Affected by this issue is some unknown functionality of the file Apps/Sandcastle/standalone.html. The manipulation of the argument c results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The presence of this vulnerability remains uncertain at this time. The vendor was contacted early about this disclosure but did not respond in any way. According to CVE-2023-48094, "the vendor's position is that Apps/Sandcastle/standalone.html is part of the CesiumGS/cesium GitHub repository, but is demo code that is not part of the CesiumJS JavaScript library product."
Published: 2026-03-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Scripting
Action: Monitor
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary script code by manipulating the c argument in the standalone.html page of CesiumJS. This is a classic reflected Cross‑Site Scripting (XSS) flaw (CWE‑79) with elements of code injection (CWE‑94). An attacker who succeeds could execute malicious code in the context of the victim’s browser, potentially leaking data or performing actions on behalf of the user. The CVE description states the flaw can be triggered remotely and that a public exploit has already been released, increasing the risk of exploitation.

Affected Systems

CesiumJS versions up to and including 1.137.0 are affected, specifically through the Apps/Sandcastle/standalone.html demo file. The vulnerability has not been confirmed in later releases, and the vendor has not released a patch as of the last advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, which further implies limited known exploitation. However, the flaw is remote‑triggered via a crafted URL to standalone.html, and the availability of a public exploit means that, should the software remain unpatched, a successful attack is feasible.

Generated by OpenCVE AI on March 18, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an official patch or a newer version of CesiumJS that removes the XSS in standalone.html.
  • If no patch is available, prevent public access to Apps/Sandcastle/standalone.html or remove the demo page entirely from production deployments.
  • Add protective web‑application controls such as Content‑Security‑Policy headers and XSS Mitigation X-Content-Type-Options to mitigate possible attacks.
  • Stay updated with CesiumJS releases and monitor the project's GitHub repository for any security notices.

Generated by OpenCVE AI on March 18, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Cesium
Cesium cesiumjs
Vendors & Products Cesium
Cesium cesiumjs

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in CesiumGS CesiumJS up to 1.137.0. Affected by this issue is some unknown functionality of the file Apps/Sandcastle/standalone.html. The manipulation of the argument c results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The presence of this vulnerability remains uncertain at this time. The vendor was contacted early about this disclosure but did not respond in any way. According to CVE-2023-48094, "the vendor's position is that Apps/Sandcastle/standalone.html is part of the CesiumGS/cesium GitHub repository, but is demo code that is not part of the CesiumJS JavaScript library product."
Title CesiumGS CesiumJS standalone.html cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cesium Cesiumjs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T14:31:28.585Z

Reserved: 2026-03-11T16:47:05.525Z

Link: CVE-2026-3990

cve-icon Vulnrichment

Updated: 2026-03-12T14:31:04.642Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T06:16:31.390

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-3990

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:02Z

Weaknesses