CVE-2020-15500

MEDIUM NUCLEI

TileServer GL < 3.0.0 - Reflected Cross-Site Scripting via Key GET Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-15500. PoCs published by Akash Chathoth. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in Tileserver-gl versions <3.1.0 by injecting a malicious script via the 'key' URL parameter. The PoC triggers an alert with the document domain, confirming the vulnerability.

Description

An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.

Exploits (1)

exploitdb WORKING POC
by Akash Chathoth · textwebappsmultiple
https://www.exploit-db.com/exploits/49771

This exploit demonstrates a reflected XSS vulnerability in Tileserver-gl versions <3.1.0 by injecting a malicious script via the 'key' URL parameter. The PoC triggers an alert with the document domain, confirming the vulnerability.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Tileserver-gl <3.1.0
No auth needed
Prerequisites: Access to a vulnerable Tileserver-gl instance
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

TileServer GL <=3.0.0 - Cross-Site Scripting
MEDIUMby Akash.C

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/maptiler/tileserver-gl/issues/461
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html

Scores

CVSS v3 6.1
EPSS 0.1452
EPSS Percentile 94.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
npm/tileserver-gl 0 - 3.1.0npm
tileserver/tileservergl < 3.0.0
Published Jul 01, 2020
Tracked Since Feb 18, 2026