CVE-2024-35627
Description
tileserver-gl up to v4.4.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /data/v3/?key.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in tileserver-gl ≤4.4.10 via /data/v3/?key allows arbitrary JavaScript execution.
Vulnerability
TileServer GL versions up to and including 4.4.10 contain a reflected cross-site scripting (XSS) vulnerability in the /data/v3/?key component. The key parameter is reflected in the application's response without proper sanitization, allowing an attacker to inject arbitrary JavaScript code into the response. [1]
Exploitation
An attacker can craft a malicious URL containing a JavaScript payload in the key parameter and deliver it to a victim, typically via phishing or social engineering. The victim's browser then executes the script in the context of the TileServer GL application. No authentication is required to trigger the vulnerability. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially compromising user accounts, stealing sensitive data, performing actions on behalf of the user, and even affecting other applications hosted on the same domain. The scope of impact can extend beyond TileServer GL users if co-located applications share the same domain. [1]
Mitigation
The vulnerability is patched in TileServer GL version 4.5.0. Users are strongly advised to upgrade to the latest version to mitigate the risk. [1]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=4.4.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.