CVE-2025-44137

CVE Database · CVE-2025-44137

CVE-2025-44137

· HIGHModified

CVSS v3.1

8.2

EPSS

1.30%

Published

Jul 29, 2025

Modified

Jan 20, 2026

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

MapTiler Tileserver-php v2.0 is vulnerable to Directory Traversal. The renderTile function within tileserver.php is responsible for delivering tiles that are stored as files on the server via web request. Creating the path to a file allows the insertion of "../" and thus read any file on the web server. Affected GET parameters are "TileMatrix", "TileRow", "TileCol" and "Format"

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Weaknesses (CWE)

CWE-22

Affected Products (1)

maptiler · tileserver_phpvulnerable

References (3)

https://github.com/maptiler/tileserver-php/commit/4fe14e6164bbe2a3f9e3b3d7acf303e3ec210c8e

https://github.com/maptiler/tileserver-php/issues/167

ExploitIssue Tracking

https://github.com/mheranco/CVE-2025-44137

Exploit

KEV Catalog EPSS Scores Vendors All CVEs