CVE-2026-13163
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk25th percentile — higher than 25% of all known CVEs
Summary
CVE-2026-13163 describes an open redirect vulnerability in the _safe_redirect function of the click-tracking endpoint in Mailerup versions before 1.0.0. This allows remote unauthenticated attackers to redirect victims to arbitrary external sites, potentially leading to phishing attacks.
Risk Assessment
Organizations may become targets of phishing attacks, which can result in user data theft and loss of trust in services. This vulnerability poses a risk to user security and the company's reputation.
Recommendation
It is recommended to update Mailerup to version 1.0.0 or later to mitigate this vulnerability. Additionally, implementing extra security measures against open redirects is advisable.
Original NVD description (English source)
Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.

