Cyber Resilience

CVE-2025-44136

CriticalPublic PoC

Published: 29 July 2025

Published
29 July 2025
Modified
06 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1302 94.2th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44136 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Maptiler Tileserver Php. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).

Deeper analysis

MapTiler Tileserver-php v2.0 is vulnerable to reflected cross-site scripting because the GET parameter "layer" is inserted directly into an error message without HTML encoding. The flaw is tracked as CVE-2025-44136 and carries a CVSS 3.1 score of 9.8.

An unauthenticated attacker can supply a crafted URL containing script payloads in the layer parameter and cause arbitrary HTML or JavaScript to execute in any browser that visits the link. The attack requires no credentials and can achieve full control over the victim’s session within the application origin.

EPSS for the vulnerability rose from a low baseline to a recorded peak of 0.1781, indicating that exploitation interest increased after public disclosure. Public references consist of a GitHub issue and a proof-of-concept repository, but no vendor advisory or patch information is included in the available data.

EU & UK References

Vulnerability details

MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on…

more

a victim's browser.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Reflected XSS in unauthenticated public-facing web parameter directly enables remote exploitation of the application via crafted requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-44137Same product: Maptiler Tileserver Php
CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2026-1074Shared CWE-79
CVE-2025-22539Shared CWE-79

Affected Assets

maptiler
tileserver php
2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 requires filtering of information output to prevent injection of malicious scripts like XSS payloads reflected in error messages.

prevent

SI-11 mandates secure error handling to avoid reflecting unencoded user input such as the 'layer' parameter in error messages, directly mitigating this XSS vulnerability.

prevent

SI-10 enforces input validation on parameters like 'layer' to reject or sanitize malicious payloads before they reach the error message reflection point.

References