osm-static-maps is vulnerable to template injection. Lack of validation of user input into the template parameter {{{tileserverUrl}}}
allows an attacker to inject arbitrary Javascript/HTML in a user’s browser, perform requests on behalf of the user or read arbitrary local files.