Cyber Posture

CVE-2025-44136

CriticalPublic PoC

Published: 29 July 2025

Published
29 July 2025
Modified
06 August 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1302 94.1th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44136 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Maptiler Tileserver Php. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match
prevent

SI-15 requires filtering of information output to prevent injection of malicious scripts like XSS payloads reflected in error messages.

SI-11 Error Handling good match
prevent

SI-11 mandates secure error handling to avoid reflecting unencoded user input such as the 'layer' parameter in error messages, directly mitigating this XSS vulnerability.

SI-10 Information Input Validation partial match
prevent

SI-10 enforces input validation on parameters like 'layer' to reject or sanitize malicious payloads before they reach the error message reflection point.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Reflected XSS in unauthenticated public-facing web parameter directly enables remote exploitation of the application via crafted requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on…

more

a victim's browser.

Deeper analysisAI

MapTiler Tileserver-php version 2.0 is affected by CVE-2025-44136, a cross-site scripting (XSS) vulnerability classified under CWE-79 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw occurs because the "layer" GET parameter is reflected in an error message without HTML encoding, enabling the injection of malicious scripts.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. Exploitation allows attackers to execute arbitrary HTML or JavaScript code in the victim's browser, compromising confidentiality, integrity, and availability to a high degree.

Mitigation details and further discussion are available in the project's GitHub issue tracker at https://github.com/maptiler/tileserver-php/issues/167 and a related proof-of-concept repository at https://github.com/mheranco/CVE-2025-44136.

Details

CWE(s)
CWE-79

Affected Products

maptiler
tileserver php
2.0

CVEs Like This One

CVE-2025-44137Same product: Maptiler Tileserver Php
CVE-2026-23807Shared CWE-79
CVE-2025-27005Shared CWE-79
CVE-2025-68520Shared CWE-79
CVE-2026-0800Shared CWE-79
CVE-2025-26555Shared CWE-79
CVE-2025-46199Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-23570Shared CWE-79
CVE-2024-56056Shared CWE-79

References