CVE-2026-13163 · Lack of input validation in Mailerup input parameter leads to Open Redirect

Description

Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.

Weakness type (CWE)

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Affected versions

Mailerup before 1.0.1 (all versions prior to 1.0.1). Default status: unaffected.

Score (CVSS 4.0)

5.3 — Medium

Solution

Upgrade to version 1.0.1 or higher.

Patch

Commit 99eb6d4

Credits

Darío Rivas Quero (Secur0 security team) — finder
Cristian Fernández Cornejo (Secur0 security team) — finder
Mario Álvarez Fernández — remediation developer
Xoán M. Otero Jorge — analyst
Secur0 CNA — coordinator

Discovery source: Internal

Official record: CVE-2026-13163