CVE-2026-3990 is a cross-site scripting vulnerability identified in CesiumGS CesiumJS versions up to 1.137.0. The issue resides specifically in the Apps/Sandcastle/standalone.html file, which is part of the CesiumGS GitHub repository but considered demo code rather than part of the core CesiumJS library product. The vulnerability arises from improper handling of the 'c' argument, allowing an attacker to inject malicious scripts that execute in the context of a victim's browser. This flaw can be exploited remotely without requiring authentication, though it does require user interaction to trigger the malicious payload. The vendor has not responded to the disclosure and has not released a patch, citing the affected file as non-production demo code. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity, with attack vector being network-based, low attack complexity, no privileges or user interaction required for initial access, but user interaction needed to trigger the XSS. The impact primarily affects confidentiality and integrity by enabling script injection, which can lead to session hijacking, credential theft, or execution of arbitrary code within the victim's browser session. While no known exploits in the wild have been reported, the public availability of exploit code increases the risk of opportunistic attacks. Organizations using CesiumJS should assess whether they expose the vulnerable demo application or incorporate the affected file in their deployments and take appropriate measures to mitigate risk.

The primary impact of CVE-2026-3990 is the potential for attackers to execute arbitrary JavaScript in the context of users interacting with the vulnerable Sandcastle demo application. This can lead to theft of sensitive information such as session cookies, user credentials, or other confidential data accessible via the browser. Additionally, attackers could perform actions on behalf of the user, manipulate the user interface, or deliver further malicious payloads. Although the vulnerability is confined to demo code, organizations that expose this component publicly or integrate it into their environments risk compromising user trust and data integrity. The lack of vendor response and patch increases the window of exposure. The vulnerability does not affect system availability directly but can undermine confidentiality and integrity. Given CesiumJS's use in geospatial visualization, mapping, and defense-related applications, exploitation could have broader implications if attackers leverage this vector to gain footholds or pivot to other systems. The medium severity score reflects moderate risk, but the ease of remote exploitation and public exploit availability elevate the threat level for affected deployments.

1. Immediately review all deployments of CesiumJS to determine if the Apps/Sandcastle/standalone.html demo file is exposed to end users or integrated into production environments. 2. If the demo application is not required, remove or restrict access to the Sandcastle directory and standalone.html file to prevent exposure. 3. Implement strict input validation and output encoding on any parameters, especially the 'c' argument, to neutralize potential script injection vectors. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the application. 5. Monitor web server logs for suspicious requests targeting the vulnerable parameter and unusual user activity indicative of exploitation attempts. 6. Consider isolating or sandboxing the demo application environment to limit the impact of any potential compromise. 7. Stay alert for any vendor updates or community patches addressing this vulnerability and apply them promptly. 8. Educate users about the risks of interacting with untrusted links or inputs within CesiumJS-based applications. 9. If feasible, contribute to or engage with the CesiumGS community to encourage official remediation or clarification regarding the vulnerability status.