CVE-2025-44136
CRITICAL EXPLOITED NUCLEIMapTiler Tileserver-php v2.0 - Unauthenticated Reflected Cross-Site Scripting via Layer Parameter
Title source: llmExploitation Summary
CVE-2025-44136 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including mheranco. A Nuclei detection template is also available.
AI-analyzed exploit summary This repository contains a proof-of-concept for an unauthenticated reflected XSS vulnerability in MapTiler Tileserver-php v2.0. The exploit leverages the 'layer' GET parameter to inject arbitrary JavaScript code, which is reflected in an error message without proper HTML encoding.
Description
MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser.
Exploits (1)
This repository contains a proof-of-concept for an unauthenticated reflected XSS vulnerability in MapTiler Tileserver-php v2.0. The exploit leverages the 'layer' GET parameter to inject arbitrary JavaScript code, which is reflected in an error message without proper HTML encoding.
Nuclei Templates (1)
title:"TileServer-php"
title="TileServer-php"
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H