Description
Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.
Published: 2026-06-24
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an open redirect that occurs in Mailerup’s click‑tracking endpoint. An attacker can supply a crafted query parameter that bypasses scheme validation by using an allowed scheme (http, https) while the host is unrestricted. Because the framework silently catches a BadSignature exception, a valid signed token is not required, making the redirect easier to use. As a result, victims who click a seemingly legitimate link can be sent to any external site, creating a serious risk for phishing or credential theft.

Affected Systems

Any Mailerup installation running a version earlier than 1.0.0 on any platform is impacted. The issue exists across all operating systems supported by the product as the redirect logic is not platform‑specific.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity. EPSS data is not provided, but the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet known. Despite this, the flaw allows unauthenticated attackers to construct and share malicious URLs, so the likelihood of attack by targeted phishing campaigns remains significant. The lack of signature validation further lowers the barrier for exploitation.

Generated by OpenCVE AI on June 24, 2026 at 15:28 UTC.

Remediation

Vendor Solution

Upgrade to version 1.0.1 or higher.

OpenCVE Recommended Actions

  • Upgrade Mailerup to version 1.0.1 or later, which fixes the input validation and removes the silent BadSignature catch.
  • Block or disable the click‑tracking endpoint until the update is applied to prevent accidental redirects.
  • Implement a host allowlist or URL filtering on the attack surface to restrict redirection destinations to trusted domains as an interim safeguard.

Generated by OpenCVE AI on June 24, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.
Title Lack of input validation in Mailerup input parameter leads to Open Redirect
First Time appeared Mailerup
Mailerup mailerup
Weaknesses CWE-601
CPEs cpe:2.3:a:mailerup:mailerup:*:*:*:*:*:*:*:*
Vendors & Products Mailerup
Mailerup mailerup
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Mailerup Mailerup
cve-icon MITRE

Status: PUBLISHED

Assigner: Secur0

Published:

Updated: 2026-06-24T13:07:07.003Z

Reserved: 2026-06-24T12:44:34.692Z

Link: CVE-2026-13163

cve-icon Vulnrichment

Updated: 2026-06-24T13:07:01.543Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:30:17Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')