Open redirect vulnerability (CWE-601) in the saferedirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13163.json",
"cwe_ids": [
"CWE-601"
],
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "1.0.1"
}
],
"source": "AFFECTED_FIELD"
},
{
"extracted_events": [
{
"fixed": "1.0.1"
}
],
"source": "CPE_FIELD"
}
],
"cna_assigner": "Secur0"
}