CVE Catalog

CVE-2026-13163

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile — higher than 25% of all known CVEs

Summary

CVE-2026-13163 describes an open redirect vulnerability in the _safe_redirect function of the click-tracking endpoint in Mailerup versions before 1.0.0. This allows remote unauthenticated attackers to redirect victims to arbitrary external sites, potentially leading to phishing attacks.

Risk Assessment

Organizations may become targets of phishing attacks, which can result in user data theft and loss of trust in services. This vulnerability poses a risk to user security and the company's reputation.

Recommendation

It is recommended to update Mailerup to version 1.0.0 or later to mitigate this vulnerability. Additionally, implementing extra security measures against open redirects is advisable.

Original NVD description (English source)

Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS