CVE-2025-44136
published 2025-07-29CVE-2025-44136: MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.51%
82.8th percentile
MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| maptiler | tileserver_php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for GET requests to tileserver.php/wmts with a 'layer' parameter containing unsanitized HTML/JS payloads (e.g., <svg>, <script> tags or URL-encoded equivalents like %3Csvg). ↗
- →Match HTTP 404 responses from tileserver.php containing both the reflected layer payload and the string 'Unknown or not specified dataset' in the body with content-type text/html. ↗
- →Use Shodan query 'title:"TileServer-php"' or FOFA query 'title="TileServer-php"' to identify exposed instances for proactive scanning. ↗
- →Flag unauthenticated (no session/auth headers) GET requests to paths matching /tileserver.php/wmts/* where the 'layer' parameter contains angle brackets or URL-encoded HTML tag characters. ↗
- ·The vulnerability is specific to MapTiler Tileserver-php v2.0; other versions may not be affected or may have different path structures. ↗
- ·The XSS is reflected (not stored), so detection must focus on the request/response pair rather than persistent content; the payload appears in the server's error message body. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cj86-6g7w-75f6: MapTiler Tileserver-php v2
ghsa_unreviewed·2025-07-29
CVE-2025-44136 [CRITICAL] CWE-79 GHSA-cj86-6g7w-75f6: MapTiler Tileserver-php v2
MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser.
VulnCheck
maptiler tileserver_php Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2025·CVSS 9.8
CVE-2025-44136 [CRITICAL] maptiler tileserver_php Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
maptiler tileserver_php Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser.
Affected: maptiler tileserver_php
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-44136
Exploit PoC: https://vulncheck.com/xdb/e985df749053
No detection rules found.
Nuclei
MapTiler Tileserver-php v2.0 - Unauthenticated XSS
nuclei·CVSS 9.8
CVE-2025-44136 [CRITICAL] MapTiler Tileserver-php v2.0 - Unauthenticated XSS
MapTiler Tileserver-php v2.0 - Unauthenticated XSS
MapTiler Tileserver-php v2.0 contains a reflected XSS caused by unencoded reflection of the GET parameter \"layer\" in an error message, letting unauthenticated attackers execute arbitrary script on victim browsers.
Template:
id: CVE-2025-44136
info:
name: MapTiler Tileserver-php v2.0 - Unauthenticated XSS
author: 0x_Akoko
severity: medium
description: |
MapTiler Tileserver-php v2.0 contains a reflected XSS caused by unencoded reflection of the GET parameter \"layer\" in an error message, letting unauthenticated attackers execute arbitrary script on victim browsers.
impact: |
Unauthenticated attackers can execute arbitrary JavaScript in victim browsers, leading to session hijacking or phishing.
remediation: |
Update to the latest versi
No writeups or analysis indexed.
2025-07-29
Published
Exploited in the wild