CVE-2025-44136

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-44136
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-44136.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-44136
Published
2025-07-29T17:15:33.327Z
Modified
2026-04-10T05:27:10.148506Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser.

References

Affected packages

Git / github.com/maptiler/tileserver-php

Affected ranges

Type
GIT
Repo
https://github.com/maptiler/tileserver-php
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
e4148733ed1ae179e2c820c011ed47679b33b92e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0"
        }
    ]
}

Affected versions

v0.*
v0.1
v1.*
v1.0
v2.*
v2.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-44136.json"