CVE-2025-44136
Published: 29 July 2025
Summary
CVE-2025-44136 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Maptiler Tileserver Php. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).
Deeper analysis
MapTiler Tileserver-php v2.0 is vulnerable to reflected cross-site scripting because the GET parameter "layer" is inserted directly into an error message without HTML encoding. The flaw is tracked as CVE-2025-44136 and carries a CVSS 3.1 score of 9.8.
An unauthenticated attacker can supply a crafted URL containing script payloads in the layer parameter and cause arbitrary HTML or JavaScript to execute in any browser that visits the link. The attack requires no credentials and can achieve full control over the victim’s session within the application origin.
EPSS for the vulnerability rose from a low baseline to a recorded peak of 0.1781, indicating that exploitation interest increased after public disclosure. Public references consist of a GitHub issue and a proof-of-concept repository, but no vendor advisory or patch information is included in the available data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23023
Vulnerability details
MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on…
more
a victim's browser.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in unauthenticated public-facing web parameter directly enables remote exploitation of the application via crafted requests.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of information output to prevent injection of malicious scripts like XSS payloads reflected in error messages.
SI-11 mandates secure error handling to avoid reflecting unencoded user input such as the 'layer' parameter in error messages, directly mitigating this XSS vulnerability.
SI-10 enforces input validation on parameters like 'layer' to reject or sanitize malicious payloads before they reach the error message reflection point.