CVE-2026-13163 PUBLISHED

Lack of input validation in Mailerup input parameter leads to Open Redirect

Assigner: Secur0
Reserved: 24.06.2026 Published: 24.06.2026 Updated: 24.06.2026

Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
CVSS Score: 5.3

Product Status

Vendor Mailerup
Product Mailerup
Versions Default: unaffected
  • affected from 0 to 1.0.1 (excl.)

Solutions

Upgrade to version 1.0.1 or higher.

Credits

  • Dario Rivas Quero from Secur0 security team finder
  • Cristian Fernandez Cornejo from Secur0 security team finder
  • Mario Alvarez Fernandez remediation developer
  • Xoan M. Otero Jorge analyst
  • Secur0 CNA coordinator

References

Problem Types

  • CWE-601 URL redirection to untrusted site ('open redirect') CWE