CVE-2026-13163
Lack of input validation in Mailerup input parameter leads to Open Redirect
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.
| CWE | CWE-601 |
| Vendor | mailerup |
| Product | mailerup |
| Published | Jun 24, 2026 |
| Last Updated | Jun 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for mailerup mailerup
Be the first to know when new unknown vulnerabilities affecting mailerup mailerup are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Mailerup / Mailerup
0 < 1.0.1
References
Credits
Dario Rivas Quero from Secur0 security team Cristian Fernandez Cornejo from Secur0 security team Mario Alvarez Fernandez Xoan M. Otero Jorge Secur0 CNA