CVE-2025-44136 is a Cross Site Scripting (XSS) vulnerability identified in MapTiler Tileserver-php version 2.0. The vulnerability arises because the GET parameter "layer" is reflected in an error message without proper HTML encoding or sanitization. This improper handling allows an unauthenticated attacker to inject arbitrary HTML or JavaScript code into the response sent to the victim's browser. When a victim accesses a crafted URL containing malicious script code in the "layer" parameter, the script executes in the context of the victim's browser session. This can lead to a range of attacks including session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability is client-side but can be triggered without authentication, increasing the attack surface. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and can be weaponized by attackers. The lack of a CVSS score suggests the need for an independent severity assessment based on the vulnerability's characteristics. The affected product, MapTiler Tileserver-php, is a PHP-based tile server used to serve map tiles for web mapping applications, often integrated into geospatial services and location-based applications. The vulnerability specifically targets the error handling mechanism where user input is reflected unsafely, a common vector for reflected XSS attacks.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on MapTiler Tileserver-php to serve geospatial data or mapping services. Exploitation could lead to unauthorized script execution in users' browsers, potentially compromising user credentials, session tokens, or enabling phishing attacks by injecting malicious content into trusted web applications. This could damage organizational reputation, lead to data breaches, or disrupt services that depend on map data. Public sector entities, transportation companies, urban planning agencies, and any business integrating mapping services are at risk. The vulnerability could also be leveraged as a stepping stone for more complex attacks targeting internal networks if combined with other vulnerabilities. Since the attack requires no authentication and can be triggered via crafted URLs, it poses a risk to any user accessing vulnerable services, including employees, partners, and customers. The lack of known exploits currently limits immediate widespread impact, but the public disclosure increases the risk of future exploitation.

To mitigate this vulnerability, organizations should immediately review and update their MapTiler Tileserver-php installations. Since no patch links are provided, users should monitor the vendor's official channels for security updates or patches addressing this XSS issue. In the interim, implement strict input validation and output encoding for the "layer" parameter to ensure any user-supplied data is properly sanitized before being reflected in error messages. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the service. Web Application Firewalls (WAFs) can be configured to detect and block malicious payloads targeting the "layer" parameter. Additionally, conduct thorough security testing of the tile server integration points to identify and remediate similar injection flaws. Educate developers and administrators on secure coding practices related to input handling and error message construction. Finally, monitor logs for suspicious requests containing unusual or script-like content in the "layer" parameter to detect attempted exploitation.