CVE-2026-3990

Name of the Vulnerable Software and Affected Versions CesiumGS CesiumJS versions up to 1.137.0

Description A security issue has been identified in CesiumGS CesiumJS. The issue involves cross site scripting resulting from the manipulation of the argument c within some unknown functionality of the file Apps/Sandcastle/standalone.html. The attack can be launched remotely. The exploit has been publicly released. The vendor was contacted but did not respond. The vendor states that Apps/Sandcastle/standalone.html is demo code and not part of the CesiumJS JavaScript library product.

Recommendations Versions prior to 1.137.0 should be used. At the moment, there is no information about a newer version that contains a fix for this vulnerability.