tileserver-gl up to v4.4.10 exists to contain a cross-site scripting (XSS) vulnerability via the component /data/v3/?key.