Unrated severityNVD Advisory· Published Jul 29, 2025· Updated Jan 20, 2026

CVE-2025-44137

Description

MapTiler Tileserver-php v2.0 is vulnerable to Directory Traversal. The renderTile function within tileserver.php is responsible for delivering tiles that are stored as files on the server via web request. Creating the path to a file allows the insertion of "../" and thus read any file on the web server. Affected GET parameters are "TileMatrix", "TileRow", "TileCol" and "Format"

Affected products

MapTiler/Tileserver-phpdescription
Maptiler/Tileserver Glllm-fuzzy
Range: = 2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/maptiler/tileserver-php/commit/4fe14e6164bbe2a3f9e3b3d7acf303e3ec210c8emitre
github.com/maptiler/tileserver-php/issues/167mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000