Tileserver - XSS (CVE-2025-44136)

CVE-2025-44136 is a critical cross-site scripting (XSS) vulnerability in MapTiler Tileserver-php v2.0, where the "layer" GET parameter is improperly handled and reflected in error messages without proper HTML encoding. This flaw allows unauthenticated attackers to inject and execute arbitrary HTML or JavaScript code in a victim's browser, potentially leading to session hijacking, credential theft, or other malicious actions.

CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-44136 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-44136 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-44136 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit this vulnerability by sending requests to URLs like /tileserver.php/wmts/x/1/1/asd with a crafted layer parameter containing malicious JavaScript, resulting in reflected XSS in error messages.