cbcvebase.
CVE-2025-44136
published 2025-07-29

CVE-2025-44136: MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.51%
82.8th percentile
MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser.

Affected

1 ranges
VendorProductVersion rangeFixed in
maptilertileserver_php

Detection & IOCsextracted from sources · hover to see the quote

url/tileserver.php/wmts/x/1/1/asd?Request=x&layer=%3Csvg+alert(document.domain)%3E
  • Look for GET requests to tileserver.php/wmts with a 'layer' parameter containing unsanitized HTML/JS payloads (e.g., <svg>, <script> tags or URL-encoded equivalents like %3Csvg).
  • Match HTTP 404 responses from tileserver.php containing both the reflected layer payload and the string 'Unknown or not specified dataset' in the body with content-type text/html.
  • Use Shodan query 'title:"TileServer-php"' or FOFA query 'title="TileServer-php"' to identify exposed instances for proactive scanning.
  • Flag unauthenticated (no session/auth headers) GET requests to paths matching /tileserver.php/wmts/* where the 'layer' parameter contains angle brackets or URL-encoded HTML tag characters.
  • ·The vulnerability is specific to MapTiler Tileserver-php v2.0; other versions may not be affected or may have different path structures.
  • ·The XSS is reflected (not stored), so detection must focus on the request/response pair rather than persistent content; the payload appears in the server's error message body.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.